apache
Version information
This version is compatible with:
- Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.7.0 < 6.0.0
- , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-apache', '2.1.0'
Learn more about managing modules with a PuppetfileDocumentation
apache
Table of Contents
- Module description - What is the apache module, and what does it do?
- Setup - The basics of getting started with apache
- Usage - The classes and defined types available for configuration
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Contributing to the apache module
- [Running tests - A quick guide][Running tests]
Module description
Apache HTTP Server (also called Apache HTTPD, or simply Apache) is a widely used web server. This Puppet module simplifies the task of creating configurations to manage Apache servers in your infrastructure. It can configure and manage a range of virtual host setups and provides a streamlined way to install and configure Apache modules.
Setup
What the apache module affects:
- Configuration files and directories (created and written to)
- WARNING: Configurations not managed by Puppet will be purged.
- Package/service/configuration files for Apache
- Apache modules
- Virtual hosts
- Listened-to ports
/etc/make.conf
on FreeBSD and Gentoo
On Gentoo, this module depends on the gentoo/puppet-portage
Puppet module. Note that while several options apply or enable certain features and settings for Gentoo, it is not a supported operating system for this module.
Warning: This module modifies Apache configuration files and directories and purges any configuration not managed by Puppet. Apache configuration should be managed by Puppet, as unmanaged configuration files can cause unexpected failures.
To temporarily disable full Puppet management, set the
purge_configs
parameter in theapache
class declaration to false. We recommend this only as a temporary means of saving and relocating customized configurations.
Beginning with Apache
To have Puppet install Apache with the default parameters, declare the apache
class:
class { 'apache': }
When you declare this class with the default options, the module:
- Installs the appropriate Apache software package and required Apache modules for your operating system.
- Places the required configuration files in a directory, with the default location Depends on operating system.
- Configures the server with a default virtual host and standard port ('80') and address ('*') bindings.
- Creates a document root directory Depends on operating system, typically
/var/www
. - Starts the Apache service.
Apache defaults depend on your operating system. These defaults work in testing environments but are not suggested for production. We recommend customizing the class's parameters to suit your site.
For instance, this declaration installs Apache without the apache module's default virtual host configuration, allowing you to customize all Apache virtual hosts:
class { 'apache':
default_vhost => false,
}
Note: When
default_vhost
is set tofalse
, you have to add at least oneapache::vhost
resource or Apache will not start. To establish a default virtual host, either set thedefault_vhost
in theapache
class or use theapache::vhost
defined type. You can also configure additional specific virtual hosts with theapache::vhost
defined type.
Usage
Configuring virtual hosts
The default apache
class sets up a virtual host on port 80, listening on all interfaces and serving the docroot
parameter's default directory of /var/www
.
To configure basic name-based virtual hosts, specify the port
and docroot
parameters in the apache::vhost
defined type:
apache::vhost { 'vhost.example.com':
port => '80',
docroot => '/var/www/vhost',
}
See the apache::vhost
defined type's reference for a list of all virtual host parameters.
Note: Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. The
apache::vhost
defined type applies a defaultpriority
of 15, which Puppet interprets by prefixing the virtual host's file name with15-
. This all means that if multiple sites have the same priority, or if you disable priority numbers by setting thepriority
parameter's value to false, Apache still processes virtual hosts in alphabetical order.
To configure user and group ownership for docroot
, use the docroot_owner
and docroot_group
parameters:
apache::vhost { 'user.example.com':
port => '80',
docroot => '/var/www/user',
docroot_owner => 'www-data',
docroot_group => 'www-data',
}
Configuring virtual hosts with SSL
To configure a virtual host to use SSL encryption and default SSL certificates, set the ssl
parameter. You must also specify the port
parameter, typically with a value of '443', to accommodate HTTPS requests:
apache::vhost { 'ssl.example.com':
port => '443',
docroot => '/var/www/ssl',
ssl => true,
}
To configure a virtual host to use SSL and specific SSL certificates, use the paths to the certificate and key in the ssl_cert
and ssl_key
parameters, respectively:
apache::vhost { 'cert.example.com':
port => '443',
docroot => '/var/www/cert',
ssl => true,
ssl_cert => '/etc/ssl/fourth.example.com.cert',
ssl_key => '/etc/ssl/fourth.example.com.key',
}
To configure a mix of SSL and unencrypted virtual hosts at the same domain, declare them with separate apache::vhost
defined types:
# The non-ssl virtual host
apache::vhost { 'mix.example.com non-ssl':
servername => 'mix.example.com',
port => '80',
docroot => '/var/www/mix',
}
# The SSL virtual host at the same domain
apache::vhost { 'mix.example.com ssl':
servername => 'mix.example.com',
port => '443',
docroot => '/var/www/mix',
ssl => true,
}
To configure a virtual host to redirect unencrypted connections to SSL, declare them with separate apache::vhost
defined types and redirect unencrypted requests to the virtual host with SSL enabled:
apache::vhost { 'redirect.example.com non-ssl':
servername => 'redirect.example.com',
port => '80',
docroot => '/var/www/redirect',
redirect_status => 'permanent',
redirect_dest => 'https://redirect.example.com/'
}
apache::vhost { 'redirect.example.com ssl':
servername => 'redirect.example.com',
port => '443',
docroot => '/var/www/redirect',
ssl => true,
}
Configuring virtual host port and address bindings
Virtual hosts listen on all IP addresses ('*') by default. To configure the virtual host to listen on a specific IP address, use the ip
parameter:
apache::vhost { 'ip.example.com':
ip => '127.0.0.1',
port => '80',
docroot => '/var/www/ip',
}
You can also configure more than one IP address per virtual host by using an array of IP addresses for the ip
parameter:
apache::vhost { 'ip.example.com':
ip => ['127.0.0.1','169.254.1.1'],
port => '80',
docroot => '/var/www/ip',
}
You can configure multiple ports per virtual host by using an array of ports for the port
parameter:
apache::vhost { 'ip.example.com':
ip => ['127.0.0.1'],
port => ['80','8080']
docroot => '/var/www/ip',
}
To configure a virtual host with aliased servers, refer to the aliases using the serveraliases
parameter:
apache::vhost { 'aliases.example.com':
serveraliases => [
'aliases.example.org',
'aliases.example.net',
],
port => '80',
docroot => '/var/www/aliases',
}
To set up a virtual host with a wildcard alias for the subdomain mapped to a directory of the same name, such as 'http://example.com.loc' mapped to /var/www/example.com
, define the wildcard alias using the serveraliases
parameter and the document root with the virtual_docroot
parameter:
apache::vhost { 'subdomain.loc':
vhost_name => '*',
port => '80',
virtual_docroot => '/var/www/%-2+',
docroot => '/var/www',
serveraliases => ['*.loc',],
}
To configure a virtual host with filter rules, pass the filter directives as an array using the filters
parameter:
apache::vhost { 'subdomain.loc':
port => '80',
filters => [
'FilterDeclare COMPRESS',
'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html',
'FilterChain COMPRESS',
'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no',
],
docroot => '/var/www/html',
}
Configuring virtual hosts for apps and processors
To set up a virtual host with suPHP, use the following parameters:
suphp_engine
, to enable the suPHP engine.suphp_addhandler
, to define a MIME type.suphp_configpath
, to set which path suPHP passes to the PHP interpreter.directory
, to configure Directory, File, and Location directive blocks.
For example:
apache::vhost { 'suphp.example.com':
port => '80',
docroot => '/home/appuser/myphpapp',
suphp_addhandler => 'x-httpd-php',
suphp_engine => 'on',
suphp_configpath => '/etc/php5/apache2',
directories => [
{ 'path' => '/home/appuser/myphpapp',
'suphp' => {
user => 'myappuser',
group => 'myappgroup',
},
},
],
}
To configure a virtual host to use the Web Server Gateway Interface (WSGI) for Python applications, use the wsgi
set of parameters:
apache::vhost { 'wsgi.example.com':
port => '80',
docroot => '/var/www/pythonapp',
wsgi_application_group => '%{GLOBAL}',
wsgi_daemon_process => 'wsgi',
wsgi_daemon_process_options => {
processes => '2',
threads => '15',
display-name => '%{GROUP}',
},
wsgi_import_script => '/var/www/demo.wsgi',
wsgi_import_script_options => {
process-group => 'wsgi',
application-group => '%{GLOBAL}',
},
wsgi_process_group => 'wsgi',
wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' },
}
As of Apache 2.2.16, Apache supports FallbackResource, a simple replacement for common RewriteRules. You can set a FallbackResource using the fallbackresource
parameter:
apache::vhost { 'wordpress.example.com':
port => '80',
docroot => '/var/www/wordpress',
fallbackresource => '/index.php',
}
Note: The
fallbackresource
parameter only supports the 'disabled' value since Apache 2.2.24.
To configure a virtual host with a designated directory for Common Gateway Interface (CGI) files, use the scriptalias
parameter to define the cgi-bin
path:
apache::vhost { 'cgi.example.com':
port => '80',
docroot => '/var/www/cgi',
scriptalias => '/usr/lib/cgi-bin',
}
To configure a virtual host for Rack, use the rack_base_uris
parameter:
apache::vhost { 'rack.example.com':
port => '80',
docroot => '/var/www/rack',
rack_base_uris => ['/rackapp1', '/rackapp2'],
}
Configuring IP-based virtual hosts
You can configure IP-based virtual hosts to listen on any port and have them respond to requests on specific IP addresses. In this example, the server listens on ports 80 and 81, because the example virtual hosts are not declared with a port
parameter:
apache::listen { '80': }
apache::listen { '81': }
Configure the IP-based virtual hosts with the ip_based
parameter:
apache::vhost { 'first.example.com':
ip => '10.0.0.10',
docroot => '/var/www/first',
ip_based => true,
}
apache::vhost { 'second.example.com':
ip => '10.0.0.11',
docroot => '/var/www/second',
ip_based => true,
}
You can also configure a mix of IP- and name-based virtual hosts in any combination of SSL and unencrypted configurations.
In this example, we add two IP-based virtual hosts on an IP address (in this example, 10.0.0.10). One uses SSL and the other is unencrypted:
apache::vhost { 'The first IP-based virtual host, non-ssl':
servername => 'first.example.com',
ip => '10.0.0.10',
port => '80',
ip_based => true,
docroot => '/var/www/first',
}
apache::vhost { 'The first IP-based vhost, ssl':
servername => 'first.example.com',
ip => '10.0.0.10',
port => '443',
ip_based => true,
docroot => '/var/www/first-ssl',
ssl => true,
}
Next, we add two name-based virtual hosts listening on a second IP address (10.0.0.20):
apache::vhost { 'second.example.com':
ip => '10.0.0.20',
port => '80',
docroot => '/var/www/second',
}
apache::vhost { 'third.example.com':
ip => '10.0.0.20',
port => '80',
docroot => '/var/www/third',
}
To add name-based virtual hosts that answer on either 10.0.0.10 or 10.0.0.20, you must disable the Apache default Listen 80
, as it conflicts with the preceding IP-based virtual hosts. To do this, set the add_listen
parameter to false
:
apache::vhost { 'fourth.example.com':
port => '80',
docroot => '/var/www/fourth',
add_listen => false,
}
apache::vhost { 'fifth.example.com':
port => '80',
docroot => '/var/www/fifth',
add_listen => false,
}
Installing Apache modules
There are two ways to install Apache modules using the Puppet apache module:
- Use the
apache::mod::<MODULE NAME>
classes to install specific Apache modules with parameters. - Use the
apache::mod
defined type to install arbitrary Apache modules.
Installing specific modules
The Puppet apache module supports installing many common Apache modules, often with parameterized configuration options. For a list of supported Apache modules, see the apache::mod::<MODULE NAME>
class references.
For example, you can install the mod_ssl
Apache module with default settings by declaring the apache::mod::ssl
class:
class { 'apache::mod::ssl': }
apache::mod::ssl
has several parameterized options that you can set when declaring it. For instance, to enable mod_ssl
with compression enabled, set the ssl_compression
parameter to true:
class { 'apache::mod::ssl':
ssl_compression => true,
}
Note that some modules have prerequisites, which are documented in their references under apache::mod::<MODULE NAME>
.
Installing arbitrary modules
You can pass the name of any module that your operating system's package manager can install to the apache::mod
defined type to install it. Unlike the specific-module classes, the apache::mod
defined type doesn't tailor the installation based on other installed modules or with specific parameters---Puppet only grabs and installs the module's package, leaving detailed configuration up to you.
For example, to install the mod_authnz_external
Apache module, declare the defined type with the 'mod_authnz_external' name:
apache::mod { 'mod_authnz_external': }
There are several optional parameters you can specify when defining Apache modules this way. See the defined type's reference for details.
Configuring FastCGI servers to handle PHP files
Add the apache::fastcgi::server
defined type to allow FastCGI servers to handle requests for specific files. For example, the following defines a FastCGI server at 127.0.0.1 (localhost) on port 9000 to handle PHP requests:
apache::fastcgi::server { 'php':
host => '127.0.0.1:9000',
timeout => 15,
flush => false,
faux_path => '/var/www/php.fcgi',
fcgi_alias => '/php.fcgi',
file_type => 'application/x-httpd-php'
}
You can then use the custom_fragment
parameter to configure the virtual host to have the FastCGI server handle the specified file type:
apache::vhost { 'www':
...
custom_fragment => 'AddType application/x-httpd-php .php'
...
}
Load balancing examples
Apache supports load balancing across groups of servers through the mod_proxy
Apache module. Puppet supports configuring Apache load balancing groups (also known as balancer clusters) through the apache::balancer
and apache::balancermember
defined types.
To enable load balancing with exported resources, export the apache::balancermember
defined type from the load balancer member server:
@@apache::balancermember { "${::fqdn}-puppet00":
balancer_cluster => 'puppet00',
url => "ajp://${::fqdn}:8009",
options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
}
Then, on the proxy server, create the load balancing group:
apache::balancer { 'puppet00': }
To enable load balancing without exporting resources, declare the following on the proxy server:
apache::balancer { 'puppet00': }
apache::balancermember { "${::fqdn}-puppet00":
balancer_cluster => 'puppet00',
url => "ajp://${::fqdn}:8009",
options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
}
Then declare the apache::balancer
and apache::balancermember
defined types on the proxy server.
To use the ProxySet directive on the balancer, use the proxy_set
parameter of apache::balancer
:
apache::balancer { 'puppet01':
proxy_set => {
'stickysession' => 'JSESSIONID',
'lbmethod' => 'bytraffic',
},
}
Load balancing scheduler algorithms (lbmethod
) are listed in mod_proxy_balancer documentation.
Reference
Public Classes
Class: apache
Guides the basic setup and installation of Apache on your system.
When this class is declared with the default options, Puppet:
- Installs the appropriate Apache software package and required Apache modules for your operating system.
- Places the required configuration files in a directory, with the default location determined by your operating system.
- Configures the server with a default virtual host and standard port ('80') and address ('*') bindings.
- Creates a document root directory determined by your operating system, typically
/var/www
. - Starts the Apache service.
You can simply declare the default apache
class:
class { 'apache': }
allow_encoded_slashes
Sets the server default for the AllowEncodedSlashes
declaration, which modifies the responses to URLs containing '\' and '/' characters. If not specified, this parameter omits the declaration from the server's configuration and uses Apache's default setting of 'off'.
Values: 'on', 'off', 'nodecode'.
Default: undef
.
apache_version
Configures module template behavior, package names, and default Apache modules by defining the version of Apache to use. We do not recommend manually configuring this parameter without reason.
Default: Depends on operating system and release version detected by the apache::version
class.
conf_dir
Sets the directory where the Apache server's main configuration file is located.
Default: Depends on operating system.
- Debian:
/etc/apache2
- FreeBSD:
/usr/local/etc/apache22
- Gentoo:
/etc/apache2
- Red Hat:
/etc/httpd/conf
conf_template
Defines the template used for the main Apache configuration file. Modifying this parameter is potentially risky, as the apache module is designed to use a minimal configuration file customized by conf.d
entries.
Default: apache/httpd.conf.erb
.
confd_dir
Sets the location of the Apache server's custom configuration directory.
Default: Depends on operating system.
- Debian:
/etc/apache2/conf.d
- FreeBSD:
/usr/local/etc/apache22
- Gentoo:
/etc/apache2/conf.d
- Red Hat:
/etc/httpd/conf.d
default_charset
Used as the AddDefaultCharset
directive in the main configuration file.
Default: undef
.
default_confd_files
Determines whether Puppet generates a default set of includable Apache configuration files in the directory defined by the confd_dir
parameter. These configuration files correspond to what is typically installed with the Apache package on the server's operating system.
Boolean.
Default: true
.
default_mods
Determines whether to configure and enable a set of default Apache modules depending on your operating system.
If false
, Puppet includes only the Apache modules required to make the HTTP daemon work on your operating system, and you can declare any other modules separately using the apache::mod::<MODULE NAME>
class or apache::mod
defined type.
If true
, Puppet installs additional modules, depending on the operating system and the values of apache_version
and mpm_module
parameters. Because these lists of modules can change frequently, consult the Puppet module's code for up-to-date lists.
If this parameter contains an array, Puppet instead enables all passed Apache modules.
Values: Boolean or an array of Apache module names.
Default: true
.
default_ssl_ca
Sets the default certificate authority for the Apache server.
Although the default value results in a functioning Apache server, you must update this parameter with your certificate authority information before deploying this server in a production environment.
Boolean.
Default: undef
.
default_ssl_cert
Sets the SSL encryption certificate location.
Although the default value results in a functioning Apache server, you must update this parameter with your certificate location before deploying this server in a production environment.
Default: Depends on operating system.
- Debian:
/etc/ssl/certs/ssl-cert-snakeoil.pem
- FreeBSD:
/usr/local/etc/apache22/server.crt
- Gentoo:
/etc/ssl/apache2/server.crt
- Red Hat:
/etc/pki/tls/certs/localhost.crt
default_ssl_chain
Sets the default SSL chain location.
Although this default value results in a functioning Apache server, you must update this parameter with your SSL chain before deploying this server in a production environment.
Default: undef
.
default_ssl_crl
Sets the path of the default certificate revocation list (CRL) file to use.
Although this default value results in a functioning Apache server, you must update this parameter with the CRL file path before deploying this server in a production environment. You can use this parameter with or in place of the default_ssl_crl_path
.
Default: undef
.
default_ssl_crl_path
Sets the server's certificate revocation list path, which contains your CRLs.
Although this default value results in a functioning Apache server, you must update this parameter with the CRL file path before deploying this server in a production environment.
Default: undef
.
default_ssl_crl_check
Sets the default certificate revocation check level via the SSLCARevocationCheck
directive. This parameter applies only to Apache 2.4 or higher and is ignored on older versions.
Although this default value results in a functioning Apache server, you must specify this parameter when using certificate revocation lists in a production environment.
Default: undef
.
default_ssl_key
Sets the SSL certificate key file location.
Although the default values result in a functioning Apache server, you must update this parameter with your SSL key's location before deploying this server in a production environment.
Default: Depends on operating system.
- Debian:
/etc/ssl/private/ssl-cert-snakeoil.key
- FreeBSD:
/usr/local/etc/apache22/server.key
- Gentoo:
/etc/ssl/apache2/server.key
- Red Hat:
/etc/pki/tls/private/localhost.key
default_ssl_vhost
Configures a default SSL virtual host.
If true
, Puppet automatically configures the following virtual host using the apache::vhost
defined type:
apache::vhost { 'default-ssl':
port => 443,
ssl => true,
docroot => $docroot,
scriptalias => $scriptalias,
serveradmin => $serveradmin,
access_log_file => "ssl_${access_log_file}",
}
Note: SSL virtual hosts only respond to HTTPS queries.
Boolean.
Default: false
.
default_type
Apache 2.2 only. Sets the MIME content-type
sent if the server cannot otherwise determine an appropriate content-type
. This directive is deprecated in Apache 2.4 and newer, and is only for backwards compatibility in configuration files.
Default: undef
.
default_vhost
Configures a default virtual host when the class is declared.
To configure customized virtual hosts, set this parameter's value to false
.
Note: Apache will not start without at least one virtual host. If you set this to
false
you must configure a virtual host elsewhere.
Boolean.
Default: true
.
dev_packages
Configures a specific dev package to use.
Values: A string or array of strings.
Example for using httpd 2.4 from the IUS yum repo:
include ::apache::dev
class { 'apache':
apache_name => 'httpd24u',
dev_packages => 'httpd24u-devel',
}
Default: Depends on operating system.
- Red Hat: 'httpd-devel'
- Debian 8/Ubuntu 13.10 or newer: ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev']
- Older Debian/Ubuntu versions: ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev']
- FreeBSD, Gentoo:
undef
- Suse: ['libapr-util1-devel', 'libapr1-devel']
docroot
Sets the default DocumentRoot
location.
Default: Depends on operating system.
- Debian:
/var/www/html
- FreeBSD:
/usr/local/www/apache22/data
- Gentoo:
/var/www/localhost/htdocs
- Red Hat:
/var/www/html
error_documents
Determines whether to enable custom error documents on the Apache server.
Boolean.
Default: false
.
group
Sets the group ID that owns any Apache processes spawned to answer requests.
By default, Puppet attempts to manage this group as a resource under the apache
class, determining the group based on the operating system as detected by the apache::params
class. To to prevent the group resource from being created and use a group created by another Puppet module, set the manage_group
parameter's value to false
.
Note: Modifying this parameter only changes the group ID that Apache uses to spawn child processes to access resources. It does not change the user that owns the parent server process.
httpd_dir
Sets the Apache server's base configuration directory. This is useful for specially repackaged Apache server builds but might have unintended consequences when combined with the default distribution packages.
Default: Depends on operating system.
- Debian:
/etc/apache2
- FreeBSD:
/usr/local/etc/apache22
- Gentoo:
/etc/apache2
- Red Hat:
/etc/httpd
http_protocol_options
Specifies the strictness of HTTP protocol checks.
Valid options: any sequence of the following alternative values: Strict
or Unsafe
, RegisteredMethods
or LenientMethods
, and Allow0.9
or Require1.0
.
Default 'Strict LenientMethods Allow0.9
'.
keepalive
Determines whether to enable persistent HTTP connections with the KeepAlive
directive. If you set this to 'On', use the keepalive_timeout
and max_keepalive_requests
parameters to set relevant options.
Values: 'Off', 'On'.
Default: 'Off'.
keepalive_timeout
Sets the KeepAliveTimeout
directive, which determines the amount of time the Apache server waits for subsequent requests on a persistent HTTP connection. This parameter is only relevant if the keepalive
parameter is enabled.
Default: '15'.
max_keepalive_requests
Limits the number of requests allowed per connection when the keepalive
parameter is enabled.
Default: '100'.
lib_path
Specifies the location where Apache module files are stored.
Default: Depends on operating system.
- Debian and Gentoo:
/usr/lib/apache2/modules
- FreeBSD:
/usr/local/libexec/apache24
- Red Hat:
modules
Note: Do not configure this parameter manually without special reason.
log_level
Changes the error log's verbosity. Values: 'alert', 'crit', 'debug', 'emerg', 'error', 'info', 'notice', 'warn'.
Default: 'warn'.
log_formats
Define additional LogFormat
directives. Values: A hash, such as:
$log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' }
There are a number of predefined LogFormats
in the httpd.conf
that Puppet creates:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded
If your log_formats
parameter contains one of those, it will be overwritten with your definition.
logroot
Changes the directory of Apache log files for the virtual host.
Default: Depends on operating system.
- Debian:
/var/log/apache2
- FreeBSD:
/var/log/apache22
- Gentoo:
/var/log/apache2
- Red Hat:
/var/log/httpd
logroot_mode
Overrides the default logroot
directory's mode.
Note: Do not grant write access to the directory where the logs are stored without being aware of the consequences. See the Apache documentation for details.
Default: undef
.
manage_group
When false
, stops Puppet from creating the group resource.
If you have a group created from another Puppet module that you want to use to run Apache, set this to false
. Without this parameter, attempting to use a previously established group results in a duplicate resource error.
Boolean.
Default: true
.
supplementary_groups
A list of groups to which the user belongs. These groups are in addition to the primary group.
Default: No additional groups.
Notice: This option only has an effect when manage_user
is set to true.
manage_user
When false
, stops Puppet from creating the user resource.
This is for instances when you have a user, created from another Puppet module, you want to use to run Apache. Without this parameter, attempting to use a previously established user would result in a duplicate resource error.
Boolean.
Default: true
.
mod_dir
Sets where Puppet places configuration files for your Apache modules.
Default: Depends on operating system.
- Debian:
/etc/apache2/mods-available
- FreeBSD:
/usr/local/etc/apache22/Modules
- Gentoo:
/etc/apache2/modules.d
- Red Hat:
/etc/httpd/conf.d
mod_packages
Allows the user to override default module package names.
include apache::params
class { 'apache':
mod_packages => merge($::apache::params::mod_packages, {
'auth_kerb' => 'httpd24-mod_auth_kerb',
})
}
Hash. Default: $apache::params::mod_packages
mpm_module
Determines which multi-processing module (MPM) is loaded and configured for the HTTPD process. Values: 'event', 'itk', 'peruser', 'prefork', 'worker', or false
.
You must set this to false
to explicitly declare the following classes with custom parameters:
Default: Depends on operating system.
- Debian: 'worker'
- FreeBSD, Gentoo, and Red Hat: 'prefork'
package_ensure
Controls the package
resource's ensure
attribute. Values: 'absent', 'installed' (or equivalent 'present'), or a version string.
Default: 'installed'.
pidfile
Allows settting a custom location for the pid file. Useful if using a custom-built Apache rpm.
Default: Depends on operating system.
- Debian: '\${APACHE_PID_FILE}'
- FreeBSD: '/var/run/httpd.pid'
- Red Hat: 'run/httpd.pid'
ports_file
Sets the path to the file containing Apache ports configuration.
Default: '{$conf_dir}/ports.conf'.
purge_configs
Removes all other Apache configs and virtual hosts.
Setting this to false
is a stopgap measure to allow the apache module to coexist with existing or unmanaged configurations. We recommend moving your configuration to resources within this module. For virtual host configurations, see purge_vhost_dir
.
Boolean.
Default: true
.
purge_vhost_dir
If the vhost_dir
parameter's value differs from the confd_dir
parameter's, this parameter determines whether Puppet removes any configurations inside vhost_dir
that are not managed by Puppet.
Setting purge_vhost_dir
to false
is a stopgap measure to allow the apache module to coexist with existing or otherwise unmanaged configurations within vhost_dir
.
Boolean.
Default: same as purge_configs
.
rewrite_lock
Allows setting a custom location for a rewrite lock - considered best practice if using a RewriteMap of type prg in the [rewrites
][] parameter of your virtual host. This parameter only applies to Apache version 2.2 or lower and is ignored on newer versions.
Default: undef
.
sendfile
Forces Apache to use the Linux kernel's sendfile
support to serve static files, via the EnableSendfile
directive. Values: 'On', 'Off'.
Default: 'On'.
serveradmin
Sets the Apache server administrator's contact information via Apache's ServerAdmin
directive.
Default: 'root@localhost'.
servername
Sets the Apache server name via Apache's ServerName
directive.
Setting to false
will not set ServerName at all.
Default: the 'fqdn' fact reported by Facter.
server_root
Sets the Apache server's root directory via Apache's ServerRoot
directive.
Default: Depends on operating system.
- Debian:
/etc/apache2
- FreeBSD:
/usr/local
- Gentoo:
/var/www
- Red Hat:
/etc/httpd
server_signature
Configures a trailing footer line to display at the bottom of server-generated documents, such as error documents and output of certain Apache modules, via Apache's ServerSignature
directive. Values: 'Off', 'On'.
Default: 'On'.
server_tokens
Controls how much information Apache sends to the browser about itself and the operating system, via Apache's ServerTokens
directive.
Default: 'OS'.
service_enable
Determines whether Puppet enables the Apache HTTPD service when the system is booted.
Boolean.
Default: true
.
service_ensure
Determines whether Puppet should make sure the service is running. Values: true
(or 'running'), false
(or 'stopped').
The false
or 'stopped' values set the 'httpd' service resource's ensure
parameter to false
, which is useful when you want to let the service be managed by another application, such as Pacemaker.
Default: 'running'.
service_name
Sets the name of the Apache service.
Default: Depends on operating system.
- Debian and Gentoo: 'apache2'
- FreeBSD: 'apache22'
- Red Hat: 'httpd'
service_manage
Determines whether Puppet manages the HTTPD service's state.
Boolean.
Default: true
.
service_restart
Determines whether Puppet should use a specific command to restart the HTTPD service.
Values: a command to restart the Apache service. The default setting uses the default Puppet behavior.
Default: undef
.
ssl_ca
Specifies the SSL certificate authority. SSLCACertificateFile to use to verify certificate used in ssl client authentication.
It is possible to override this on a vhost level.
Default: undef
.
timeout
Sets Apache's TimeOut
directive, which defines the number of seconds Apache waits for certain events before failing a request.
Default: 120.
trace_enable
Controls how Apache handles TRACE
requests (per RFC 2616) via the TraceEnable
directive.
Values: 'Off', 'On'.
Default: 'On'.
use_systemd
Controls whether the systemd module should be installed on Centos 7 servers, this is especially useful if using custom-built RPMs.
Boolean.
Default: true
.
file_mode
Sets the desired permissions mode for config files.
Values: A string, with permissions mode in symbolic or numeric notation.
Default: '0644'.
root_directory_options
Array of the desired options for the / directory in httpd.conf.
Defaults: 'FollowSymLinks'.
root_directory_secured
Sets the default access policy for the / directory in httpd.conf. A value of false
allows access to all resources that are missing a more specific access policy. A value of true
denies access to all resources by default. If true
, more specific rules must be used to allow access to these resources (for example, in a directory block using the directories
parameter).
Boolean.
Default: false
.
vhost_dir
Changes your virtual host configuration files' location.
Default: Depends on operating system:
- Debian:
/etc/apache2/sites-available
- FreeBSD:
/usr/local/etc/apache22/Vhosts
- Gentoo:
/etc/apache2/vhosts.d
- Red Hat:
/etc/httpd/conf.d
vhost_include_pattern
Defines the pattern for files included from the vhost_dir
.
If set to a value like [^.#]\*.conf[^~]
to make sure that files accidentally created in this directory (such as files created by version control systems or editor backups) are not included in your server configuration.
Default: '*'.
Some operating systems use a value of *.conf
. By default, this module creates configuration files ending in .conf
.
user
Changes the user that Apache uses to answer requests. Apache's parent process continues to run as root, but child processes access resources as the user defined by this parameter. To prevent Puppet from managing the user, set the manage_user
parameter to false
.
Default: Depends on the user set by apache::params
class, based on your operating system:
- Debian: 'www-data'
- FreeBSD: 'www'
- Gentoo and Red Hat: 'apache'
To prevent Puppet from managing the user, set the manage_user
parameter to false.
apache_name
The name of the Apache package to install. If you are using a non-standard Apache package, such as those from Red Hat's software collections, you might need to override the default setting.
Default: Depends on the user set by apache::params
class, based on your operating system:
- Debian: 'apache2'
- FreeBSD: 'apache24'
- Gentoo: 'www-servers/apache'
- Red Hat: 'httpd'
error_log
The name of the error log file for the main server instance. If the string starts with /
, |
, or syslog
: the full path is set. Otherwise, the filename is prefixed with $logroot
.
Default: Depends on operating system:
- Debian: 'error.log'
- FreeBSD: 'httpd-error.log'
- Gentoo: 'error.log'
- Red Hat: 'error_log'
- Suse: 'error.log'
scriptalias
Directory to use for global script alias
Default: Depends on operating system:
- Debian: '/usr/lib/cgi-bin'
- FreeBSD: '/usr/local/www/apache24/cgi-bin'
- Gentoo: 'var/www/localhost/cgi-bin'
- Red Hat: '/var/www/cgi-bin'
- Suse: '/usr/lib/cgi-bin'
access_log_file
The name of the access log file for the main server instance.
Default: Depends on operating system:
- Debian: 'error.log'
- FreeBSD: 'httpd-access.log'
- Gentoo: 'access.log'
- Red Hat: 'access_log'
- Suse: 'access.log'
Class: apache::dev
Installs Apache development libraries.
Default: Depends on the operating system:dev_packages
parameter of the apache::params
class, based on your operating system:
- Debian : 'libaprutil1-dev', 'libapr1-dev'; 'apache2-dev' on Ubuntu 13.10 and Debian 8; 'apache2-prefork-dev' on other versions.
- FreeBSD:
undef
; on FreeBSD, you must declare theapache::package
orapache
classes before declaringapache::dev
. - Gentoo:
undef
. - Red Hat: 'httpd-devel'.
Class: apache::vhosts
Creates apache::vhost
defined types.
Parameters:
-
vhosts
: Specifies theapache::vhost
defined type's parameters.Values: A hash, where the key represents the name and the value represents a hash of
apache::vhost
defined type's parameters.Default: '{}'
Note: See the
apache::vhost
defined type's reference for a list of all virtual host parameters or Configuring virtual hosts.For example, to create a name-based virtual host 'custom_vhost_1, declare this class with the
vhosts
parameter set to '{ "custom_vhost_1" => { "docroot" => "/var/www/custom_vhost_1", "port" => "81" }':
class { 'apache::vhosts':
vhosts => {
'custom_vhost_1' => {
'docroot' => '/var/www/custom_vhost_1',
'port' => '81',
},
},
}
Classes: apache::mod::<MODULE NAME>
Enables specific Apache modules. Enable and configure an Apache module by declaring its class.
For example, to install and enable mod_alias
with no icons, declare the apache::mod::alias
class with the icons_options
parameter set to 'None':
class { 'apache::mod::alias':
icons_options => 'None',
}
The following Apache modules have supported classes, many of which allow for parameterized configuration. You can install other Apache modules with the apache::mod
defined type.
actions
alias
(seeapache::mod::alias
)auth_basic
auth_cas
* (seeapache::mod::auth_cas
)auth_mellon
* (seeapache::mod::auth_mellon
)auth_kerb
authn_core
authn_dbd
* (seeapache::mod::authn_dbd
)authn_file
authnz_ldap
* (seeapache::mod::authnz_ldap
)authnz_pam
authz_default
authz_user
autoindex
cache
cgi
cgid
cluster
(seeapache::mod::cluster
)dav
dav_fs
dav_svn
*dbd
deflate\
dev
dir
*disk_cache
(seeapache::mod::disk_cache
)dumpio
(seeapache::mod::dumpio
)env
event
(seeapache::mod::event
)expires
ext_filter
(seeapache::mod::ext_filter
)fastcgi
fcgid
filter
geoip
(seeapache::mod::geoip
)headers
include
info
*intercept_form_submit
itk
jk
(seeapache::mod::jk
)ldap
(seeapache::mod::ldap
)lookup_identity
macro
(see [apache:mod:macro
][])mime
mime_magic
*negotiation
nss
* (see [apache::mod::nss
][])pagespeed
(see [apache::mod::pagespeed
][])passenger
* (seeapache::mod::passenger
)perl
peruser
php
(requiresmpm_module
set toprefork
)prefork
*proxy
* (seeapache::mod::proxy
)proxy_ajp
proxy_balancer
* (seeapache::mod::proxy_balancer
)proxy_balancer
proxy_html
(seeapache::mod::proxy_html
)proxy_http
python
reqtimeout
remoteip
*rewrite
rpaf
*setenvif
security
shib
* (seeapache::mod::shib
)speling
ssl
* (seeapache::mod::ssl
)status
* (seeapache::mod::status
)suphp
userdir
* (seeapache::mod::userdir
)version
vhost_alias
worker
*wsgi
(seeapache::mod::wsgi
)xsendfile
Modules noted with a * indicate that the module has settings and a template that includes parameters to configure the module. Most Apache module class parameters have default values and don't require configuration. For modules with templates, Puppet installs template files with the module; these template files are required for the module to work.
Class: apache::mod::alias
Installs and manages mod_alias
.
Parameters:
-
icons_options
: Disables directory listings for the icons directory, via ApacheOptions
directive.Default: 'Indexes MultiViews'.
-
icons_path
: Sets the local path for an/icons/
Alias.Default: Depends on operating system.
- Debian:
/usr/share/apache2/icons
- FreeBSD:
/usr/local/www/apache24/icons
- Gentoo:
/var/www/icons
- *Red Hat**:
/var/www/icons
, except on Apache 2.4, where it's/usr/share/httpd/icons
- Debian:
Class: apache::mod::disk_cache
Installs and configures mod_disk_cache
on Apache 2.2, or [mod_cache_disk
][] on Apache 2.4.
Default: Depends on the Apache version and operating system:
- Debian:
/var/cache/apache2/mod_cache_disk
- FreeBSD:
/var/cache/mod_cache_disk
- Red Hat, Apache 2.4:
/var/cache/httpd/proxy
- Red Hat, Apache 2.2:
/var/cache/mod_proxy
To specify the cache root, pass a path as a string to the cache_root
parameter.
class {'::apache::mod::disk_cache':
cache_root => '/path/to/cache',
}
Class: apache::mod::diskio
Installs and configures [mod_diskio
][].
class{'apache':
default_mods => `false`,
log_level => 'dumpio:trace7',
}
class{'apache::mod::diskio':
disk_io_input => 'On',
disk_io_output => 'Off',
}
Parameters:
-
dump_io_input
: Dump all input data to the error log.Values: 'On', 'Off'.
Default: 'Off'.
-
dump_io_output
: Dump all output data to the error log.Values: 'On', 'Off'.
Defaults to 'Off'.
Class: apache::mod::event
Installs and manages mod_mpm_event
. You cannot include apache::mod::event
with apache::mod::itk
, apache::mod::peruser
, apache::mod::prefork
, or apache::mod::worker
on the same server.
Parameters:
-
listenbacklog
: Sets the maximum length of the pending connections queue via the module'sListenBackLog
directive. Setting this tofalse
removes the parameter.Default: '511'.
-
maxrequestworkers
(Apache 2.3.12 or older:maxclients
): Sets the maximum number of connections Apache can simultaneously process, via the module'sMaxRequestWorkers
directive. Setting these tofalse
removes the parameters.Default: '150'.
-
maxconnectionsperchild
(Apache 2.3.8 or older:maxrequestsperchild
): Limits the number of connections a child server handles during its life, via the module'sMaxConnectionsPerChild
directive. Setting these tofalse
removes the parameters.Default: '0'.
-
maxsparethreads
andminsparethreads
: Sets the maximum and minimum number of idle threads, via theMaxSpareThreads
andMinSpareThreads
directives. Setting these tofalse
removes the parameters.Default: '75' and '25', respectively.
-
serverlimit
: Limits the configurable number of processes via theServerLimit
directive. Setting this tofalse
removes the parameter.Default: '25'.
-
startservers
: Sets the number of child server processes created at startup, via the module'sStartServers
directive. Setting this tofalse
removes the parameter.Default: '2'.
-
threadlimit
: Limits the number of event threads via the module'sThreadLimit
directive. Setting this tofalse
removes the parameter.Default: '64'.
-
threadsperchild
: Sets the number of threads created by each child process, via theThreadsPerChild
directive.Default: '25'. Setting this to
false
removes the parameter.
Class: apache::mod::auth_cas
Installs and manages mod_auth_cas
. Parameters share names with the Apache module's directives.
The cas_login_url
and cas_validate_url
parameters are required; several other parameters have undef
default values.
Note: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL. See https://github.com/Jasig/mod_auth_cas
Parameters:
-
cas_attribute_prefix
: Adds a header with the value of this header being the attribute values when SAML validation is enabled.Default: CAS_.
-
cas_attribute_delimiter
: The delimiter between attribute values in the header created bycas_attribute_prefix
.Default: ,
-
cas_authoritative
: Determines whether an optional authorization directive is authoritative and binding.Default:
undef
. -
cas_certificate_path
: Sets the path to the X509 certificate of the Certificate Authority for the server incas_login_url
andcas_validate_url
.Default:
undef
. -
cas_cache_clean_interval
: Sets the minimum number of seconds that must pass between cache cleanings.Default:
undef
. -
cas_cookie_domain
: Sets the value of theDomain=
parameter in theSet-Cookie
HTTP header.Default:
undef
. -
cas_cookie_entropy
: Sets the number of bytes to use when creating session identifiers.Default:
undef
. -
cas_cookie_http_only
: Sets the optionalHttpOnly
flag whenmod_auth_cas
issues cookies.Default:
undef
. -
cas_cookie_path
: Where cas cookie session data is stored. Should be writable by web server user.Default: OS dependent.
-
cas_cookie_path_mode
: The mode ofcas_cookie_path
.Default: '0750'.
-
cas_debug
: Determines whether to enable the module's debugging mode.Default: 'Off'.
-
cas_idle_timeout
: Sets the idle timeout limit, in seconds.Default:
undef
. -
cas_login_url
: Required. Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don't have an active session. -
cas_proxy_validate_url
: The URL to use when performing a proxy validation.Default:
undef
. -
cas_root_proxied_as
: Sets the URL end users see when access to this Apache server is proxied.Default:
undef
. -
cas_scrub_request_headers
: Remove inbound request headers that may have special meaning within mod_auth_cas. -
cas_sso_enabled
: Enables experimental support for single sign out (may mangle POST data).Default: 'Off'.
-
cas_timeout
: Limits the number of seconds amod_auth_cas
session can remain active.Default:
undef
. -
cas_validate_depth
: Limits the depth for chained certificate validation.Default:
undef
. -
cas_validate_saml
: Parse response from CAS server for SAML.Default: 'Off'.
-
cas_validate_server
: Whether to validate the cert of the CAS server (deprecated in 1.1 - RedHat 7).Default:
undef
. -
cas_validate_url
: Required. Sets the URL to use when validating a client-presented ticket in an HTTP query string. -
cas_version
: The CAS protocol version to adhere to. Values: '1', '2'.Default: '2'.
-
suppress_warning
: Suppress warning about being on RedHat (mod_auth_cas
package is now available in epel-testing repo).Default:
false
.
Class: apache::mod::auth_mellon
Installs and manages mod_auth_mellon
. Parameters share names with the Apache module's directives.
class{ 'apache::mod::auth_mellon':
mellon_cache_size => 101,
}
Parameters:
-
mellon_cache_entry_size
: Maximum size for a single session.Default:
undef
. -
mellon_cache_size
: Size in megabytes of the mellon cache.Default: 100.
-
mellon_lock_file
: Location of lock file.Default: '
/run/mod_auth_mellon/lock
'. -
mellon_post_directory
: Full path where post requests are saved.Default: '
/var/cache/apache2/mod_auth_mellon/
' -
mellon_post_ttl
: Time to keep post requests.Default:
undef
. -
mellon_post_size
: Maximum size of post requests.Default:
undef
. -
mellon_post_count
: Maximum number of post requests.Default:
undef
.
Class: apache::mod::authn_dbd
Installs mod_authn_dbd
and uses authn_dbd.conf.erb
template to generate its configuration. Optionally, creates AuthnProviderAlias.
class { 'apache::mod::authn_dbd':
$authn_dbd_params =>
'host=db01 port=3306 user=apache password=xxxxxx dbname=apacheauth',
$authn_dbd_query => 'SELECT password FROM authn WHERE user = %s',
$authn_dbd_alias => 'db_auth',
}
Parameters:
-
authn_dbd_alias
: Name for the 'AuthnProviderAlias'. -
authn_dbd_dbdriver
: Specifies the database driver to use.Default: 'mysql'.
-
authn_dbd_exptime
: corresponds to DBDExptime.Default: 300.
-
authn_dbd_keep
: Corresponds to DBDKeep.Default: 8.
-
authn_dbd_max
: Corresponds to DBDMax.Default: 20.
-
authn_dbd_min
: Corresponds to DBDMin.Default: 4.
-
authn_dbd_params
: Required. Corresponds to DBDParams for the connection string. -
authn_dbd_query
: Whether to query the user and password for authentication.
Class: apache::mod::authnz_ldap
Installs mod_authnz_ldap
and uses the authnz_ldap.conf.erb
template to generate its configuration.
Parameters:
-
package_name
: The name of the package.Default:
undef
. -
verify_server_cert
: Whether to verify the server certificate.Default:
undef
.
Class: apache::mod::cluster
Note: There is no official package available for mod_cluster
, so you must make it available outside of the apache module. Binaries can be found at http://mod-cluster.jboss.org/
class { '::apache::mod::cluster':
ip => '172.17.0.1',
allowed_network => '172.17.0.',
balancer_name => 'mycluster',
version => '1.3.1'
}
Parameters:
-
port
: mod_cluster listen port.Default: '6666'.
-
server_advertise
: Whether the server should advertise.Default:
true
. -
advertise_frequency
: Sets the interval between advertise messages in seconds[.miliseconds].Default: 10.
-
manager_allowed_network
: Whether to allow the network to access the mod_cluster_manager.Default: '127.0.0.1'.
-
keep_alive_timeout
: Specifies how long Apache should wait for a request, in seconds.Default: 60.
-
max_keep_alive_requests
: Maximum number of requests kept alive.Default: 0.
-
enable_mcpm_receive
: Whether MCPM should be enabled.Default:
true
. -
ip
: Specifies the IP address to listen to. -
allowed_network
: Balanced members network. -
version
: Specifies themod_cluster
version. Version 1.3.0 or greater is required for httpd 2.4.
Class: apache::mod::deflate
Installs and configures [mod_deflate
][].
Parameters:
-
types
: An array of [MIME types][MIME `content*type`] to be deflated.Default: [ 'text/html text/plain text/xml', 'text/css', 'application/x*javascript application/javascript application/ecmascript', 'application/rss+xml', 'application/json' ].
-
notes
: A Hash where the key represents the type and the value represents the note name.Default: { 'Input' => 'instream', 'Output' => 'outstream', 'Ratio' => 'ratio' }.
Class: apache::mod::expires
Installs mod_expires
and uses the expires.conf.erb
template to generate its configuration.
Parameters:
-
expires_active
: Enables generation ofExpires
headers for a document realm.Boolean.
Default:
true
. -
expires_default
: Specifies the default algorithm for calculating expiration time usingExpiresByType
syntax or interval syntax.Default:
undef
. -
expires_by_type
: Describes a set of [MIMEcontent*type
][] and their expiration times.Values: An array of Hashes, with each Hash's key a valid MIME
content*type
(i.e. 'text/json') and its value following valid interval syntax.Default:
undef
.
Class: apache::mod::ext_filter
Installs and configures mod_ext_filter
.
class { 'apache::mod::ext_filter':
ext_filter_define => {
'slowdown' => 'mode=output cmd=/bin/cat preservescontentlength',
'puppetdb-strip' => 'mode=output outtype=application/json cmd="pdb-resource-filter"',
},
}
Parameters:
-
ext_filter_define
: A hash of filter names and their parameters.Default:
undef
.
Class: apache::mod::fcgid
Installs and configures mod_fcgid
.
The class does not individually parameterize all available options. Instead, configure mod_fcgid
using the options
hash. For example:
class { 'apache::mod::fcgid':
options => {
'FcgidIPCDir' => '/var/run/fcgidsock',
'SharememPath' => '/var/run/fcgid_shm',
'AddHandler' => 'fcgid-script .fcgi',
},
}
For a full list of options, see the official mod_fcgid
documentation.
If you include apache::mod::fcgid
, you can set the [FcgidWrapper
][] per directory, per virtual host. The module must be loaded first; Puppet will not automatically enable it if you set the fcgiwrapper
parameter in apache::vhost
.
include apache::mod::fcgid
apache::vhost { 'example.org':
docroot => '/var/www/html',
directories => {
path => '/var/www/html',
fcgiwrapper => {
command => '/usr/local/bin/fcgiwrapper',
}
},
}
Class: apache::mod::geoip
Installs and manages mod_geoip
.
Parameters:
-
db_file
: Sets the path to your GeoIP database file.Values: a path, or an array paths for multiple GeoIP database files.
Default:
/usr/share/GeoIP/GeoIP.dat
. -
enable
: Determines whether to globally enablemod_geoip
.Boolean.
Default:
false
. -
flag
: Sets the GeoIP flag.Values: 'CheckCache', 'IndexCache', 'MemoryCache', 'Standard'.
Default: 'Standard'.
-
output
: Defines which output variables to use.Values: 'All', 'Env', 'Request', 'Notes'.
Default: 'All'.
-
enable_utf8
: Changes the output from ISO88591 (Latin1) to UTF8.Boolean.
Default:
undef
. -
scan_proxy_headers
: Enables the GeoIPScanProxyHeaders option.Boolean.
Default:
undef
. -
scan_proxy_header_field
: Specifies the headermod_geoip
uses to determine the client's IP address.Default:
undef
. -
use_last_xforwarededfor_ip
(sic): Determines whether to use the first or last IP address for the client's IP in a comma-separated list of IP addresses is found.Boolean.
Default:
undef
.
Class: apache::mod::info
Installs and manages mod_info
, which provides a comprehensive overview of the server configuration.
Parameters:
-
allow_from
: Whitelist of IPv4 or IPv6 addresses or ranges that can access/server*info
.Values: One or more octets of an IPv4 address, an IPv6 address or range, or an array of either.
Default: ['127.0.0.1','::1'].
-
apache_version
: Apache's version number as a string, such as '2.2' or '2.4'.Default: The value of
$::apache::apache_version
.
-
restrict_access
: Determines whether to enable access restrictions. Iffalse
, theallow_from
whitelist is ignored and any IP address can access/server*info
.Boolean.
Default:
true
.
Class: apache::mod::jk
Installs and manages mod_jk
, a connector for Apache httpd redirection to old versions of TomCat and JBoss
Note: There is no official package available for mod_jk and thus it must be made available by means outside of the control of the apache module. Binaries can be found at Apache Tomcat Connectors download page
class { '::apache::mod::jk':
ip = '192.168.2.15',
workers_file = 'conf/workers.properties',
mount_file = 'conf/uriworkermap.properties',
shm_file = 'run/jk.shm',
shm_size = '50M',
$workers_file_content = {
<Content>
},
}
Parameters within apache::mod::jk
:
The best source for understanding the mod_jk
parameters is the official documentation, except for:
add_listen
Defines if a Listen
directive according to parameters ip
and port
(see below), so that Apache listens to the IP/port combination and redirect to mod_jk
.
Useful when another Listen
directive, like Listen *:<Port>
or Listen <Port>
, can conflict with the one necessary for mod_jk
binding.
Type: Boolean Default: true
ip
IP for binding to mod_jk
.
Useful when the binding address is not the primary network interface IP.
Type: String
Default: $facts['ipaddress']
port
Port for binding to mod_jk
.
Useful when something else, like a reverse proxy or cache, is receiving requests at port 80, then needs to forward them to Apache at a different port.
Type: String (numerical) Default: '80'
workers_file_content
Each directive has the format worker.<Worker name>.<Property>=<Value>
. This maps as a hash of hashes, where the outer hash specifies workers, and each inner hash specifies each worker properties and values.
Plus, there are two global directives, 'worker.list' and 'worker.mantain'
For example, the workers file below:
worker.list = status
worker.list = some_name,other_name
worker.mantain = 60
# Optional comment
worker.some_name.type=ajp13
worker.some_name.socket_keepalive=true
# I just like comments
worker.other_name.type=ajp12 (why would you?)
worker.other_name.socket_keepalive=false
Should be parameterized as:
$workers_file_content = {
worker_lists => ['status', 'some_name,other_name'],
worker_mantain => '60',
some_name => {
comment => 'Optional comment',
type => 'ajp13',
socket_keepalive => 'true',
},
other_name => {
comment => 'I just like comments',
type => 'ajp12',
socket_keepalive => 'false',
},
}
mount_file_content
Each directive has the format <URI> = <Worker name>
. This maps as a hash of hashes, where the outer hash specifies workers, and each inner hash contains two items: uri_list - an array with URIs to be mapped to the worker - and comment - an optional string with a comment for the worker.
For example, the mount file below:
# Worker 1
/context_1/ = worker_1
/context_1/* = worker_1
# Worker 2
/ = worker_2
/context_2/ = worker_2
/context_2/* = worker_2
Should be parameterized as:
$mount_file_content = {
worker_1 => {
uri_list => ['/context_1/', '/context_1/*'],
comment => 'Worker 1',
},
worker_2 => {
uri_list => ['/context_2/', '/context_2/*'],
comment => 'Worker 2',
},
},
shm_file and log_file
Depending on how these files are specified, the class creates their final path differently:
- Relative path: prepends supplied path with
logroot
(see below) - Absolute path or pipe: uses supplied path as-is
Examples (RHEL 6):
shm_file => 'shm_file'
# Ends up in
$shm_path = '/var/log/httpd/shm_file'
shm_file => '/run/shm_file'
# Ends up in
$shm_path = '/run/shm_file'
shm_file => '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"'
# Ends up in
$shm_path = '"|rotatelogs /var/log/httpd/mod_jk.log.%Y%m%d 86400 -180"'
The default logroot is sane enough. Therefore, it is not recommended to specify absolute paths.
logroot
The base directory for shm_file
and log_file
is determined by the logroot
parameter. If unspecified, defaults to apache::params::logroot
.
The default logroot is sane enough. Therefore, it is not recommended to override it.
Class: apache::mod::passenger
Installs and manages mod_passenger
. For Red Hat-based systems, ensure that you meet the minimum requirements described in the passenger docs.
Parameters:
-
passenger_high_performance
: Sets thePassengerHighPerformance
.Values: 'On', 'Off'.
Default:
undef
. -
passenger_pool_idle_time
: Sets thePassengerPoolIdleTime
.Default:
undef
. -
passenger_max_pool_size
: Sets thePassengerMaxPoolSize
.Default:
undef
. -
passenger_max_request_queue_size
: Sets thePassengerMaxRequestQueueSize
.Default:
undef
. -
passenger_max_requests
: Sets thePassengerMaxRequests
.Default:
undef
. -
passenger_data_buffer_dir
: Sets thePassengerDataBufferDir
.Default:
undef
.
Class: apache::mod::ldap
Installs and configures mod_ldap
, and allows you to modify the
LDAPTrustedGlobalCert
Directive:
class { 'apache::mod::ldap':
ldap_trusted_global_cert_file => '/etc/pki/tls/certs/ldap-trust.crt',
ldap_trusted_global_cert_type => 'CA_DER',
ldap_shared_cache_size => '500000',
ldap_cache_entries => '1024',
ldap_cache_ttl => '600',
ldap_opcache_entries => '1024',
ldap_opcache_ttl => '600',
}
Parameters
-
apache_version
: Specifies the installed Apache version.Default:
undef
. -
ldap_trusted_global_cert_file
: Specifies the path and file name of the trusted CA certificates to use when establishing SSL or TLS connections to an LDAP server. -
ldap_trusted_global_cert_type
: Specifies the global trust certificate format.Default: 'CA_BASE64'.
-
ldap_shared_cache_size
: Specifies the size, in bytes, of the shared memory cache. -
ldap_cache_entries
: Specifies the maximum number of entries in the primary LDAP cache. -
ldap_cache_ttl
: Specifies the time, in seconds, that cached items remain valid. -
ldap_opcache_entries
: Specifies the number of entries used to cache LDAP compare operations. -
ldap_opcache_ttl
: Specifies the time, in seconds, that entries in the operation cache remain valid. -
package_name
: Specifies the custom package name.Default:
undef
.
Class: apache::mod::negotiation
Installs and configures mod_negotiation
.
Parameters:
-
force_language_priority
: Sets theForceLanguagePriority
option.Values: A string.
Default:
Prefer Fallback
. -
language_priority
: An array of languages to set theLanguagePriority
option of the module.Default: [ 'en', 'ca', 'cs', 'da', 'de', 'el', 'eo', 'es', 'et', 'fr', 'he', 'hr', 'it', 'ja', 'ko', 'ltz', 'nl', 'nn', 'no', 'pl', 'pt', 'ptBR', 'ru', 'sv', 'zhCN', 'zh*TW' ]
Class: apache::mod::nss
An SSL provider for Apache using the NSS crypto libraries.
Parameters:
transfer_log
: path to access.logerror_log
: path to error.logpasswd_file
: path to file used for NSSPassPhraseDialog directiveport
: SSL port. Defaults to 8443
Class: apache::mod::pagespeed
Installs and manages mod_pagespeed
, a Google module that rewrites web pages to reduce latency and bandwidth.
Although this apache module requires the mod-pagespeed-stable
package, Puppet does not manage the software repositories required to automatically install the package. If you declare this class when the package is either not installed or not available to your package manager, your Puppet run will fail.
Note: Verify that your system is compatible with the latest Google Pagespeed requirements.
Parameters:
These parameters correspond to the module's directives. See the module's documentation for details.
inherit_vhost_config
: Default: 'on'.filter_xhtml
: Default:false
.cache_path
: Default: '/var/cache/mod_pagespeed/'.log_dir
: Default: '/var/log/pagespeed'.memcache_servers
: Default: [].rewrite_level
: Default: 'CoreFilters'.disable_filters
: Default: [].enable_filters
: Default: [].forbid_filters
: Default: [].rewrite_deadline_per_flush_ms
: Default: 10.additional_domains
: Default:undef
.file_cache_size_kb
: Default: 102400.file_cache_clean_interval_ms
: Default: 3600000.lru_cache_per_process
: Default: 1024.lru_cache_byte_limit
: Default: 16384.css_flatten_max_bytes
: Default: 2048.css_inline_max_bytes
: Default: 2048.css_image_inline_max_bytes
: Default: 2048.image_inline_max_bytes
: Default: 2048.js_inline_max_bytes
: Default: 2048.css_outline_min_bytes
: Default: 3000.js_outline_min_bytes
: Default: 3000.inode_limit
: Default: 500000.image_max_rewrites_at_once
: Default: 8.num_rewrite_threads
: Default: 4.num_expensive_rewrite_threads
: Default: 4.collect_statistics
: Default: 'on'.statistics_logging
: Default: 'on'.allow_view_stats
: Default: [].allow_pagespeed_console
: Default: [].allow_pagespeed_message
: Default: [].message_buffer_size
: Default: 100000.additional_configuration
: A hash of directive value pairs, or an array of lines to insert at the end of the pagespeed configuration. Default: '{ }'.
Class: apache::mod::passenger
Installs and configures mod_passenger
.
Note: The passenger module isn't available on RH/CentOS without providing the dependency packages provided by EPEL and the
mod_passengers
custom repository. See themanage_repo
parameter above and https://www.phusionpassenger.com/library/install/apache/install/oss/el7/
Parameters:
passenger_conf_file
:$::apache::params::passenger_conf_file
passenger_conf_package_file:
$::apache::params::passenger_conf_package_file`passenger_high_performance
: Default:undef
passenger_pool_idle_time
: Default:undef
passenger_max_request_queue_size
: Default:undef
passenger_max_requests
: Default:undef
passenger_spawn_method
: Default:undef
passenger_stat_throttle_rate
: Default:undef
rack_autodetect
: Default:undef
rails_autodetect
: Default:undef
passenger_root
:$::apache::params::passenger_root
passenger_ruby
:$::apache::params::passenger_ruby
passenger_default_ruby
:$::apache::params::passenger_default_ruby
passenger_max_pool_size
: Default:undef
passenger_min_instances
: Default:undef
passenger_max_instances_per_app
: Default:undef
passenger_use_global_queue
: Default:undef
passenger_app_env
: Default:undef
passenger_log_file
: Default:undef
passenger_log_level
: Default:undef
passenger_data_buffer_dir
: Default:undef
manage_repo
: Whether to manage the phusionpassenger.com repository. Default:true
.mod_package
: Default:undef
.mod_package_ensure
: Default:undef
.mod_lib
: Default:undef
.mod_lib_path
: Default:undef
.mod_id
: Default:undef
.mod_path
: Default:undef
.
Class: apache::mod::proxy
Installs mod_proxy
and uses the proxy.conf.erb
template to generate its configuration.
Parameters within apache::mod::proxy
:
allow_from
: Default:undef
.apache_version
: Default:undef
.package_name
: Default:undef
.proxy_requests
: Default: 'Off'.proxy_via
: Default: 'On'.
Class: apache::mod::proxy_balancer
Installs and manages mod_proxy_balancer
, which provides load balancing.
Parameters:
-
manager
: Determines whether to enable balancer manager support.Default:
false
. -
manager_path
: The server location of the balancer manager.Default: '/balancer*manager'.
-
allow_from
: An array of IPv4 or IPv6 addresses that can access/balancer*manager
.Default: ['127.0.0.1','::1'].
-
apache_version
: Apache's version number as a string, such as '2.2' or '2.4'.Default: the value of
$::apache::apache_version
. On Apache 2.4 or greater,mod_slotmem_shm
is loaded.
Class: apache::mod::php
Installs and configures mod_php
.
Parameters:
Default values for these parameters depend on your operating system. Most of this class's parameters correspond to mod_php
directives; see the module's documentation for details.
package_name
: Names the package that installsmod_php
.path
: Defines the path to themod_php
shared object (.so
) file.source
: Defines the path to the default configuration. Values include apuppet:///
path.template
: Defines the path to thephp.conf
template Puppet uses to generate the configuration file.content
: Adds arbitrary content tophp.conf
.
Class: apache::mod::proxy_html
Note: There is no official package available for mod_proxy_html
, so you must make it available outside of the apache module.
Class: apache::mod::reqtimeout
Installs and configures mod_reqtimeout
.
Parameters
-
timeouts
: Sets theRequestReadTimeout
option.Values: A string or array.
Default: ['header=20-40,MinRate=500', 'body=20,MinRate=500'].
Class: apache::mod::rewrite
Installs and enables the Apache module mod_rewrite
.
Class: apache::mod::shib
Installs the Shibboleth Apache module mod_shib
, which enables SAML2 single sign-on (SSO) authentication by Shibboleth Identity Providers and Shibboleth Federations. Defining this class enables Shibboleth-specific parameters in apache::vhost
instances.
This class installs and configures only the Apache components of a web application that consumes Shibboleth SSO identities. You can manage the Shibboleth configuration manually, with Puppet, or using a Shibboleth Puppet Module.
Note: The shibboleth module isn't available on RH/CentOS without providing dependency packages provided by Shibboleth's repositories. See http://wiki.aaf.edu.au/tech-info/sp-install-guide
Class: apache::mod::ssl
Installs Apache SSL features and uses the ssl.conf.erb
template to generate its configuration. On most operating systems, this ssl.conf
is placed in the module configuration directory. On Red Hat-based operating systems, this file is placed in /etc/httpd/conf.d
, the same location in which the RPM stores the configuration.
To use SSL with a virtual host, you must either set the default_ssl_vhost
parameter in ::apache
to true
or the ssl
parameter in apache::vhost
to true
.
ssl_cipher
: Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'.ssl_compression
: Default: false.ssl_cryptodevice
: Default: 'builtin'.ssl_honorcipherorder
: Default: true.ssl_openssl_conf_cmd
: Default: undef.ssl_options
: Default: [ 'StdEnvVars' ]ssl_pass_phrase_dialog
: Default: 'builtin'.ssl_protocol
: Default: [ 'all', '-SSLv2', '-SSLv3' ].ssl_proxy_protocol
: Default: [].ssl_random_seed_bytes
: Valid options: A string. Default: '512'.ssl_sessioncache
: Valid options: A string. Default: '300'.ssl_sessioncachetimeout
: Valid options: A string. Default: '300'.ssl_mutex
: Default: Determined based on the OS. Valid options: See [mod_ssl][mod_ssl] documentation.- RedHat/FreeBSD/Suse/Gentoo: 'default'
- Debian/Ubuntu + Apache >= 2.4: 'default'
- Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex' **Parameters:
-
ssl_cipher
Default: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4'.
-
ssl_compression
Default:
false
. -
ssl_cryptodevice
Default: 'builtin'.
-
ssl_honorcipherorder
Default:
true
. -
ssl_openssl_conf_cmd
Default:
undef
. -
ssl_options
Default: [ 'StdEnvVars' ]
-
ssl_pass_phrase_dialog
Default: 'builtin'.
-
ssl_protocol
Default: [ 'all', 'SSLv2', 'SSLv3' ].
-
ssl_random_seed_bytes
Values: A string.
Default: '512'.
-
ssl_sessioncachetimeout
Values: A string.
Default: '300'.
-
ssl_mutex
:Values: See [mod_ssl][mod_ssl] documentation.
Default: Based on the OS:
- RedHat/FreeBSD/Suse/Gentoo: 'default'.
- Debian/Ubuntu + Apache >= 2.4: 'default'.
- Debian/Ubuntu + Apache < 2.4: 'file:\${APACHE_RUN_DIR}/ssl_mutex'.
- Ubuntu 10.04: 'file:/var/run/apache2/ssl_mutex'.
Class: apache::mod::status
Installs mod_status
and uses the status.conf.erb
template to generate its configuration.
Parameters:
-
allow_from
: An array of IPv4 or IPv6 addresses that can access/server-status
.Default: ['127.0.0.1','::1'].
-
extended_status
: Determines whether to track extended status information for each request, via theExtendedStatus
directive.Values: 'Off', 'On'.
Default: 'On'.
-
status_path
: The server location of the status page.Default: '/server-status'.
Class: apache::mod::userdir
Allows user-specific directories to be accessed using the http://example.com/~user/
syntax. All parameters can be found in in the official Apache documentation.
Parameters:
-
overrides
: An array of directive-types.Default: '[ 'FileInfo', 'AuthConfig', 'Limit', 'Indexes' ]'.
Class: apache::mod::version
Installs mod_version
on many operating systems and Apache configurations.
If Debian and Ubuntu systems with Apache 2.4 are classified with apache::mod::version
, Puppet warns that mod_version
is built-in and can't be loaded.
Class: apache::mod::security
Installs and configures Trustwave's mod_security
. It is enabled and runs by default on all virtual hosts.
Parameters:
-
activated_rules
: An array of rules from themodsec_crs_path
or absolute to activate via symlinks. -
allowed_methods
: A space*separated list of allowed HTTP methods.Default: 'GET HEAD POST OPTIONS'.
-
content_types
: A list of one or more allowed [MIME types][MIME `content*type`].Default: 'application/xwwwformurlencoded|multipart/formdata|text/xml|application/xml|application/x*amf'.
-
crs_package
: Names the package that installs CRS rules.Default:
modsec_crs_package
inapache::params
. -
manage_security_crs
: Manage security_crs.conf rules file.Default:
true
. -
modsec_dir
: Defines the path where Puppet installs the modsec configuration and activated rules links.Default: 'On', set by
modsec_dir
inapache::params
. ${modsec_dir}/activated_rules. -
modsec_secruleengine
: Configures the modsec rules engine. Values: 'On', 'Off', and 'DetectionOnly'.Default:
modsec_secruleengine
inapache::params
. -
restricted_extensions
: A space*separated list of prohibited file extensions.Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'.
-
restricted_headers
: A list of restricted headers separated by slashes and spaces.Default: 'ProxyConnection/ /LockToken/ /Content*Range/ /Translate/ /via/ /if/'.
-
secdefaultaction
: Configures the Mode of Operation, Self-Contained ('deny') or Collaborative Detection ('pass'), for the OWASP ModSecurity Core Rule Set.Default: 'deny'. You can also set full values, such as "log,auditlog,deny,status:406,tag:'SLA 24/7'".
-
secpcrematchlimit
: Sets the number for the match limit in the PCRE library.Default: 1500.
-
secpcrematchlimitrecursion
: Sets the number for the match limit recursion in the PCRE library.Default: 1500.
-
logroot
: Configures the location of audit and debug logs.Defaults to the Apache log directory (Redhat:
/var/log/httpd
, Debian:/var/log/apache2
). -
audit_log_releavant_status
: Configures which response status code is to be considered relevant for the purpose of audit logging.Default: '^(?:5|4(?!04))'.
-
audit_log_parts
: Sets the sections to be put in the audit log.Default: 'ABIJDEFHZ'.
-
anomaly_score_blocking
: Activates or deactivates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set.Default: 'off'.
-
inbound_anomaly_threshold
: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.Default: 5.
-
outbound_anomaly_threshold
: Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.Default: 4.
-
critical_anomaly_score
: Sets the scoring points of the critical severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.Default: 5.
-
error_anomaly_score
: Sets the scoring points of the error severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.Default: 4.
-
warning_anomaly_score
: Sets the scoring points of the warning severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.Default: 3.
-
notice_anomaly_score
: Sets the scoring points of the notice severity level for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
Default: 2.
-
secrequestmaxnumargs
: Sets the Maximum number of arguments in the request.Default: 255.
-
secrequestbodylimit
: Sets the maximum request body size ModSecurity accepts for buffering.Default: '13107200'.
-
secrequestbodynofileslimit
: Sets the maximum request body size ModSecurity accepts for buffering, excluding the size of any files being transported in the request.Default: '131072'.
-
secrequestbodyinmemorylimit
: Sets the maximum request body size that ModSecurity stores in memory.Default: '131072'
Class: apache::mod::wsgi
Enables Python support via mod_wsgi
.
Parameters:
-
mod_path
: Defines the path to themod_wsgi
shared object (.so
) file.Default:
undef
.
Types in this module release
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
Supported Release 2.1.0
Summary
This is a feature release including a security patch (CVE-2017-2299)
Added
apache::mod::jk
class for managing the mod_jk connectorapache_pw_hash
function- the ProxyPass directive in location contexts
- more Puppet 4 type validation
apache::mod::macro
class for managing mod_macro
Changed
- $ssl_certs_dir default to
undef
for all platorms - $ssl_verify_client must now be set to use any of the following:
$ssl_certs_dir
,$ssl_ca
,$ssl_crl_path
,$ssl_crl
,$ssl_verify_depth
,$ssl_crl_check
Fixed
- issue where mod_alias was not being loaded when RedirectMatch* directives were being used (MODULES-3942)
- issue with
$directories
parameter inapache::vhost
- issue in UserDir template where the UserDir path did not match the Directory path
- Issue where the $ssl_certs_dir default set Apache to implicitly trust all client certificates that were issued by any CA in that directory
Removed
- support for EOL platforms: Ubuntu 10.04, 12.04 and Debian 6 (Squeeze)
Supported Release 2.0.0
Summary
Major release removing Puppet 3 support and other backwards-incompatible changes.
Added
- support for FileETag directive configurable with the
file_e_tag
parameter - ability to configure multiple ports per vhost
- RequestHeader directive to vhost template (MODULES-4156)
- customizability for AllowOverride directive in userdir.conf (MODULES-4516)
- AdvertiseFrequency directive for cluster.conf (MODULES-4500)
ssl_proxy_protocol
andssl_sessioncache
parameters for mod::ssl (MODULES-4737)- SSLCACertificateFile directive in ssl.conf configurable with
ssl_ca
parameter - mod::authnz_pam
- mod::intercept_form_submit
- mod::lookup_identity
- Suse compatibility for mod::proxy_html
- support for AddCharset directive configurable with
add_charset
parameter - support for SSLProxyVerifyDepth and SSLProxyCACertificateFile directives configurable with
ssl_proxy_verify_depth
andssl_proxy_ca_cert
respectively manage_security_crs
parameter for mod::security- support for LimitExcept directive configurable with
limit_except
parameter - support for WSGIRestrictEmbedded directive configurable with
wsgi_restrict_embedded
parameter - support for custom UserDir path (MODULES-4933)
- support for PassengerMaxRequests directive configurable with
passenger_max_requests
- option to override module package names with
mod_packages
parameter (MODULES-3838)
Removed
- enclose_ipv6 as it was added to puppetlabs-stdlib
- deprecated
$verifyServerCert
parameter from theapache::mod::authnz_ldap
class (MODULES-4445)
Changed
keepalive
default to 'On' from 'Off'- Puppet version compatibility to ">= 4.7.0 < 6.0.0"
- puppetlabs-stdlib dependency to ">= 4.12.0 < 5.0.0"
ssl_cipher
to explicitly disable 3DES because of Sweet32
Fixed
- various issues in the vhost template
- use of deprecated
include_src
parameter in vhost_spec - management of ssl.conf on RedHat systems
- various SLES/Suse params
- mod::cgi ordering for FreeBSD
- issue where ProxyPreserveHost could not be set without other Proxy* directives
- the module attempting to install proxy_html on Ubuntu Xenial and Debian Stretch
Supported Release 1.11.1
Summary
This is a security patch release (CVE-2017-2299). These changes are also in version 2.1.0 and higher.
Changed
- $ssl_certs_dir default to
undef
for all platorms - $ssl_verify_client must now be set to use any of the following:
$ssl_certs_dir
,$ssl_ca
,$ssl_crl_path
,$ssl_crl
,$ssl_verify_depth
,$ssl_crl_check
Fixed
- Issue where the $ssl_certs_dir default set Apache to implicitly trust all client certificates that were issued by any CA in that directory (MODULES-5471)
Supported Release 1.11.0
Summary
This release adds SLES12 Support and many more features and bugfixes.
Features
- (MODULES-4049) Adds SLES 12 Support
- Adds additional directories options for LDAP Auth
auth_ldap_url
auth_ldap_bind_dn
auth_ldap_bind_password
auth_ldap_group_attribute
auth_ldap_group_attribute_is_dn
- Allows
mod_event
parameters to be unset - Allows management of default root directory access rights
- Adds class
apache::vhosts
to create apache::vhost resources - Adds class
apache::mod::proxy_wstunnel
- Adds class
apache::mod::dumpio
- Adds class
apache::mod::socache_shmcb
- Adds class
apache::mod::authn_dbd
- Adds support for apache 2.4 on Amazon Linux
- Support the newer
mod_auth_cas
config options - Adds
wsgi_script_aliases_match
parameter toapache::vhost
- Allow to override all SecDefaultAction attributes
- Add audit_log_relevant_status parameter to apache::mod::security
- Allow absolute path to $apache::mod::security::activated_rules
- Allow setting SecAuditLog
- Adds
passenger_max_instances_per_app
tomod::passenger
- Allow the proxy_via setting to be configured
- Allow no_proxy_uris to be used within proxy_pass
- Add rpaf.conf template parameter to
mod::rpaf
- Allow user to specify alternative package and library names for shibboleth module
- Allows configuration of shibboleth lib path
- Adds parameter
passenger_data_buffer_dir
tomod::passenger
- Adds SSL stapling
- Allows use of
balance_manager
withmod_proxy_balancer
- Raises lower bound of
stdlib
dependency to version 4.2 - Adds support for Passenger repo on Amazon Linux
- Add ability to set SSLStaplingReturnResponderErrors on server level
- (MODULES-4213) Allow global rewrite rules inheritance in vhosts
- Moves
mod_env
to its own class and load it when required
Bugfixes
- Deny access to .ht and .hg, which are created by mercurial hg.
- Instead of failing, include apache::mod::prefork in manifests/mod/itk.pp instead.
- Only set SSLCompression when it is set to true.
- Remove duplicate shib2 hash element
- (MODULES-3388) Include mpm_module classes instead of class declaration
- Updates
apache::balancer
to respectapache::confd_dir
- Wrap mod_security directives in an IfModule
- Fixes to various mods for Ubuntu Xenial
- Fix /etc/modsecurity perms to match package
- Fix PassengerRoot under Debian stretch
- (MODULES-3476) Updates regex in apache_version custom fact to work with EL5
- Dont sql_injection_attacks.data
- Add force option to confd file resource to purge directory without warnings
- Patch httpoxy through mod_security
- Fixes config ordering of IncludeOptional
- Fixes bug where port numbers were unquoted
- Fixes bug where empty servername for vhost were written to template
- Auto-load
slotmem_shm
andlbmethod_byrequests
withproxy_balancer
on 2.4 - Simplify MPM setup on FreeBSD
- Adds requirement for httpd package
- Do not set ssl_certs_dir on FreeBSD
- Fixes bug that produces a duplicate
Listen 443
after a package update on EL7 - Fixes bug where custom facts break structured facts
- Avoid relative classname inclusion
- Fixes a failure in
vhost
if the first element of$rewrites
is not a hash - (MODULES-3744) Process $crs_package before $modsec_dir
- (MODULES-1491) Adds
::apache
include to mods that need it
Supported Release 1.10.0
Summary
This release fixes backwards compatibility bugs introduced in 1.9.0. Also includes a new mod class and a new vhost feature.
Features
- Allow setting KeepAlive related options per vhost
apache::vhost::keepalive
apache::vhost::keepalive_timeout
apache::vhost::max_keepalive_requests
- Adds new class
apache::mod::cluster
Bugfixes
- MODULES-2890: Allow php_version != 5
- MODULES-2890: mod::php: Explicit test on jessie
- MODULES-2890: Fix PHP on Debian stretch and Ubuntu Xenial
- MODULES-2890: Fix mod_php SetHandler and cleanup
- Fixed trailing slash in lib_path on Suse
- Revert "MODULES-2956: Enable options within location block on proxy_match". Bug introduced in release 1.9.0.
- Revert "changed rpaf Configuration Directives: RPAF -> RPAF_". Bug introduced in release 1.9.0.
- Set actual path to apachectl on FreeBSD. Fixes snippets verification.
Supported Release [1.9.0][DELETED]
Features
- Added
apache_version
fact - Added
apache::balancer::target
attribute - Added
apache::fastcgi::server::pass_header
attribute - Added ability for
apache::fastcgi::server::host
using sockets - Added
apache::root_directory_options
attribute - Added for
apache::mod::ldap
:ldap_shared_cache_size
ldap_cache_entries
ldap_cache_ttl
ldap_opcache_entries
ldap_opcache_ttl
- Added
apache::mod::pagespeed::package_ensure
attribute - Added
apache::mod::passenger
attributes:passenger_log_level
manage_repo
- Added upstream repo for
apache::mod::passenger
- Added
apache::mod::proxy_fcgi
class - Added
apache::mod::security
attributes:audit_log_parts
secpcrematchlimit
secpcrematchlimitrecursion
secdefaultaction
anomaly_score_blocking
inbound_anomaly_threshold
outbound_anomaly_threshold
- Added
apache::mod::ssl
attributes:ssl_mutex
apache_version
- Added ubuntu 16.04 support
- Added
apache::mod::authnz_ldap::package_name
attribute - Added
apache::mod::ldap::package_name
attribute - Added
apache::mod::proxy::package_name
attribute - Added
apache::vhost
attributes:ssl_proxy_check_peen_expire
ssl_proxy_protocol
logroot_owner
logroot_group
setenvifnocase
passenger_user
passenger_high_performance
jk_mounts
fastcgi_idle_timeout
modsec_disable_msgs
modsec_disable_tags
- Added ability for 2.4-style
RequireAll|RequireNone|RequireAny
directory permissions - Added ability for includes in vhost directory
- Added directory values:
AuthMerging
MellonSPMetadataFile
- Adds Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set to
apache::mod::security
classcritical_anomaly_score
error_anomaly_score
warning_anomaly_score
notice_anomaly_score
- Adds ability to configure
info_path
inapache::mod::info
class - Adds ability to configure
verify_config
inapache::vhost::custom
Bugfixes
- Fixed apache mod setup for event/worker failing syntax
- Fixed concat deprecation warnings
- Fixed pagespeed mod
- Fixed service restart on mod update
- Fixed mod dir purging to happen after package installs
- Fixed various
apache::mod::*
file modes - Fixed
apache::mod::authnz_ldap
parameterverifyServerCert
to beverify_server_cert
- Fixed loadfile name in
apache::mod::fcgid
- Fixed
apache::mod::remoteip
to fail on apache < 2.4 (because it is not available) - Fixed
apache::mod::ssl::ssl_honorcipherorder
interpolation - Lint fixes
- Strict variable fixes
- Fixed
apache::vhost
attributeredirectmatch_status
to be optional - Fixed SSLv3 on by default in mod_nss
- Fixed mod_rpaf directive names in template
- Fixed mod_worker needing MaxClients with ThreadLimit
- Fixed quoting on vhost php_value
- Fixed xml2enc for proxy_html on debian
- Fixed a problem where the apache service restarts too fast
Supported Release 1.8.1
Summary
This release includes bug fixes and a documentation update.
Bugfixes
- Fixes a bug that occurs when using the module in combination with puppetlabs-concat 2.x.
- Fixes a bug where passenger.conf was vulnerable to purging.
- Removes the pin of the concat module dependency.
Supported Release 1.8.0
Summary
This release includes a lot of bug fixes and feature updates, including support for Debian 8, as well as many test improvements.
Features
- Debian 8 Support.
- Added the 'file_mode' property to allow a custom permission setting for config files.
- Enable 'PassengerMaxRequestQueueSize' to be set for mod_passenger.
- MODULES-2956: Enable options within location block on proxy_match.
- Support itk on redhat.
- Support the mod_ssl SSLProxyVerify directive.
- Support ProxPassReverseCookieDomain directive (mod_proxy).
- Support proxy provider for vhost directories.
- Added new 'apache::vhost::custom' resource.
Bugfixes
- Fixed ProxyPassReverse configuration.
- Fixed error in Amazon operatingsystem detection.
- Fixed mod_security catalog ordering issues for RedHat 7.
- Fixed paths and packages for the shib2 apache module on Debian pre Jessie.
- Fixed EL7 directory path for apache modules.
- Fixed validation error when empty array is passed for the rewrites parameter.
- Idempotency fixes with regards to '::apache::mod_enable_dir'.
- ITK fixes.
- (MODULES-2865) fix $mpm_module logic for 'false'.
- Set SSLProxy directives even if ssl is false, due to issue with RewriteRules and ProxyPass directives.
- Enable setting LimitRequestFieldSize globally, and remove it from vhost.
Improvements
- apache::mod::php now uses FilesMatch to configure the php handler. This is following the recommended upstream configuration guidelines (http://php.net/manual/en/install.unix.apache2.php#example-20) and distribution's default config (e.g.: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/php5/vivid/view/head:/debian/php5.conf). It avoids inadvertently exposing the PHP handler to executing uploads with names like 'file.php.jpg', but might impact setups with unusual requirements.
- Improved compatibility for Gentoo.
- Vhosts can now be supplied with a wildcard listen value.
- Numerous test improvements.
- Removed workarounds for https://bz.apache.org/bugzilla/show_bug.cgi?id=38864 as the issues have been fixed in Apache.
- Documentation updates.
- Ensureed order of ProxyPass and ProxyPassMatch parameters.
- Ensure that ProxyPreserveHost is set to off mode explicitly if not set in manifest.
- Put headers and request headers before proxy with regards to template generation.
- Added X-Forwarded-For into log_formats defaults.
- (MODULES-2703) Allow mod pagespeed to take an array of lines as additional_configuration.
Supported Release 1.7.1
###Summary
Small release for support of newer PE versions. This increments the version of PE in the metadata.json file.
Supported Release 1.7.0
Summary
This release includes many new features and bugfixes. There are test, documentation and misc improvements.
Features
- allow groups with - like vhost-users
- ability to enable/disable the secruleengine through a parameter
- add mod_auth_kerb parameters to vhost
- client auth for reverse proxy
- support for mod_auth_mellon
- change SSLProtocol in apache::vhost to be space separated
- RewriteLock support
Bugfixes
- fix apache::mod::cgid so it can be used with the event MPM
- load unixd before fcgid on all operating systems
- fixes conditional in vhost aliases
- corrects mod_cgid worker/event defaults
- ProxyPassMatch parameters were ending up on a newline
- catch that mod_authz_default has been removed in Apache 2.4
- mod::ssl fails on SLES
- fix typo of MPM_PREFORK for FreeBSD package install
- install all modules before adding custom configs
- fix acceptance testing for SSLProtocol behaviour for real
- fix ordering issue with conf_file and ports_file
Known Issues
- mod_passenger is having issues installing on Redhat/Centos 6, This is due to package dependency issues.
Improvements
- added docs for forcetype directive
- removes ruby 1.8.7 from the travisci test matrix
- readme reorganisation, minor fixups
- support the mod_proxy ProxyPassReverseCookiePath directive
- the purge_vhost_configs parameter is actually called purge_vhost_dir
- add ListenBacklog for mod worker
- deflate application/json by default
- install mod_authn_alias as default mod in debian for apache < 2.4
- optionally set LimitRequestFieldSize on an apache::vhost
- add SecUploadDir parameter to support file uploads with mod_security
- optionally set parameters for mod_ext_filter module
- allow SetOutputFilter to be set on a directory
- RC4 is deprecated
- allow empty docroot
- add option to configure the include pattern for the vhost_enable dir
- allow multiple IP addresses per vhost
- default document root update for Ubuntu 14.04 and Debian 8
Supported Release 1.6.0
Summary
This release includes a couple of new features, along with test and documentation updates, and support for the latest AIO puppet builds.
Features
- Add
scan_proxy_header_field
parameter toapache::mod::geoip
- Add
ssl_openssl_conf_cmd
parameter toapache::vhost
andapache::mod::ssl
- Add
filters
parameter toapache::vhost
Bugfixes
- Test updates
- Do not use systemd on Amazon Linux
- Add missing docs for
timeout
parameter (MODULES-2148)
Supported Release 1.5.0
Summary
This release primarily adds Suse compatibility. It also adds a handful of other parameters for greater configuration control.
Features
- Add
apache::lib_path
parameter - Add
apache::service_restart
parameter - Add
apache::vhost::geoip_enable
parameter - Add
apache::mod::geoip
class - Add
apache::mod::remoteip
class - Add parameters to
apache::mod::expires
class - Add
index_style_sheet
handling toapache::vhost::directories
- Add some compatibility for SLES 11
- Add
apache::mod::ssl::ssl_sessioncachetimeout
parameter - Add
apache::mod::ssl::ssl_cryptodevice
parameter - Add
apache::mod::ssl::ssl_honorcipherorder
parameter - Add
apache::mod::userdir::options
parameter
Bugfixes
- Document
apache::user
parameter - Document
apache::group
parameter - Fix apache::dev on FreeBSD
- Fix proxy_connect on apache >= 2.2
- Validate log levels better
- Fix
apache::apache_name
for package and vhost - Fix Debian Jessie mod_prefork package name
- Fix alias module being declared even when vhost is absent
- Fix proxy_pass_match handling in vhost's proxy template
- Fix userdir access permissions
- Fix issue where the module was trying to use systemd on Amazon Linux.
Supported Release 1.4.1
This release corrects a metadata issue that has been present since release 1.2.0. The refactoring of apache::vhost
to use puppetlabs-concat
requires a version of concat newer than the version required in PE. If you are using PE 3.3.0 or earlier you will need to use version 1.1.1 or earlier of the puppetlabs-apache
module.
Supported Release 1.4.0
###Summary
This release fixes the issue where the docroot was still managed even if the default vhosts were disabled and has many other features and bugfixes including improved support for 'deny' and 'require' as arrays in the 'directories' parameter under apache::vhost
Features
- New parameters to
apache
default_charset
default_type
- New parameters to
apache::vhost
proxy_error_override
passenger_app_env
(MODULES-1776)proxy_dest_match
proxy_dest_reverse_match
proxy_pass_match
no_proxy_uris_match
- New parameters to
apache::mod::passenger
passenger_app_env
passenger_min_instances
- New parameter to
apache::mod::alias
icons_options
- New classes added under
apache::mod::*
authn_file
authz_default
authz_user
- Added support for 'deny' as an array in 'directories' under
apache::vhost
- Added support for RewriteMap
- Improved support for FreeBSD. (Note: If using apache < 2.4.12, see the discussion here)
- Added check for deprecated options in directories and fail when they are unsupported
- Added gentoo compatibility
- Added proper array support for
require
in thedirectories
parameter inapache::vhost
- Added support for
setenv
inside proxy locations
Bugfixes
- Fix issue in
apache::vhost
that was preventing the scriptalias fragment from being included (MODULES-1784) - Install required
mod_ldap
package for EL7 (MODULES-1779) - Change default value of
maxrequestworkers
inapache::mod::event
to be a multiple of the defaultThreadsPerChild
of 25. - Use the correct
mod_prefork
package name for trusty and jessie - Don't manage docroot when default vhosts are disabled
- Ensure resources notify
Class['Apache::Service']
instead ofService['httpd']
(MODULES-1829) - Change the loadfile name for
mod_passenger
somod_proxy
will load by default beforemod_passenger
- Remove old Debian work-around that removed
passenger_extra.conf
Supported Release 1.3.0
Summary
This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes.
Features
- New parameters -
apache
service_manage
use_optional_includes
- New parameters -
apache::service
service_manage
- New parameters -
apache::vhost
access_logs
php_flags
php_values
modsec_disable_vhost
modsec_disable_ids
modsec_disable_ips
modsec_body_limit
- Improved FreeBSD support
- Add ability to omit priority prefix if
$priority
is set to false - Add
apache::security::rule_link
define - Improvements to
apache::mod::*
- Add
apache::mod::auth_cas
class - Add
threadlimit
,listenbacklog
,maxrequestworkers
,maxconnectionsperchild
parameters toapache::mod::event
- Add
apache::mod::filter
class - Add
root_group
toapache::mod::php
- Add
apache::mod::proxy_connect
class - Add
apache::mod::security
class - Add
ssl_pass_phrase_dialog
andssl_random_seed_bytes
parameters toapache::mod::ssl
(MODULES-1719) - Add
status_path
parameter toapache::mod::status
- Add
apache_version
parameter toapache::mod::version
- Add
package_name
andmod_path
parameters toapache::mod::wsgi
(MODULES-1458)
- Add
- Improved SCL support
- Add support for specifying the docroot
- Updated
_directories.erb
to add support for SetEnv - Support multiple access log directives (MODULES-1382)
- Add passenger support for Debian Jessie
- Add support for not having puppet restart the apache service (MODULES-1559)
Bugfixes
- For apache 2.4
mod_itk
requiresmod_prefork
(MODULES-825) - Allow SSLCACertificatePath to be unset in
apache::vhost
(MODULES-1457) - Load fcgid after unixd on RHEL7
- Allow disabling default vhost for Apache 2.4
- Test fixes
mod_version
is now built-in (MODULES-1446)- Sort LogFormats for idempotency
allow_encoded_slashes
was omitted fromapache::vhost
- Fix documentation bug (MODULES-1403, MODULES-1510)
- Sort
wsgi_script_aliases
for idempotency (MODULES-1384) - lint fixes
- Fix automatic version detection for Debian Jessie
- Fix error docs and icons path for RHEL7-based systems (MODULES-1554)
- Sort php_* hashes for idempotency (MODULES-1680)
- Ensure
mod::setenvif
is included if needed (MODULES-1696) - Fix indentation in
vhost/_directories.erb
template (MODULES-1688) - Create symlinks on all distros if
vhost_enable_dir
is specified
Supported Release 1.2.0
Summary
This release features many improvements and bugfixes, including several new defines, a reworking of apache::vhost for more extensibility, and many new parameters for more customization. This release also includes improved support for strict variables and the future parser.
Features
- Convert apache::vhost to use concat for easier extensions
- Test improvements
- Synchronize files with modulesync
- Strict variable and future parser support
- Added apache::custom_config defined type to allow validation of configs before they are created
- Added bool2httpd function to convert true/false to apache 'On' and 'Off'. Intended for internal use in the module.
- Improved SCL support
- allow overriding of the mod_ssl package name
- Add support for reverse_urls/ProxyPassReverse in apache::vhost
- Add satisfy directive in apache::vhost::directories
- Add apache::fastcgi::server defined type
- New parameters - apache
- allow_encoded_slashes
- apache_name
- conf_dir
- default_ssl_crl_check
- docroot
- logroot_mode
- purge_vhost_dir
- New parameters - apache::vhost
- add_default_charset
- allow_encoded_slashes
- logroot_ensure
- logroot_mode
- manage_docroot
- passenger_app_root
- passenger_min_instances
- passenger_pre_start
- passenger_ruby
- passenger_start_timeout
- proxy_preserve_host
- redirectmatch_dest
- ssl_crl_check
- wsgi_chunked_request
- wsgi_pass_authorization
- Add support for ScriptAlias and ScriptAliasMatch in the apache::vhost::aliases parameter
- Add support for rewrites in the apache::vhost::directories parameter
- If the service_ensure parameter in apache::service is set to anything other than true, false, running, or stopped, ensure will not be passed to the service resource, allowing for the service to not be managed by puppet
- Turn of SSLv3 by default
- Improvements to apache::mod*
- Add restrict_access parameter to apache::mod::info
- Add force_language_priority and language_priority parameters to apache::mod::negotiation
- Add threadlimit parameter to apache::mod::worker
- Add content, template, and source parameters to apache::mod::php
- Add mod_authz_svn support via the authz_svn_enabled parameter in apache::mod::dav_svn
- Add loadfile_name parameter to apache::mod
- Add apache::mod::deflate class
- Add options parameter to apache::mod::fcgid
- Add timeouts parameter to apache::mod::reqtimeout
- Add apache::mod::shib
- Add apache_version parameter to apache::mod::ldap
- Add magic_file parameter to apache::mod::mime_magic
- Add apache_version parameter to apache::mod::pagespeed
- Add passenger_default_ruby parameter to apache::mod::passenger
- Add content, template, and source parameters to apache::mod::php
- Add apache_version parameter to apache::mod::proxy
- Add loadfiles parameter to apache::mod::proxy_html
- Add ssl_protocol and package_name parameters to apache::mod::ssl
- Add apache_version parameter to apache::mod::status
- Add apache_version parameter to apache::mod::userdir
- Add apache::mod::version class
Bugfixes
- Set osfamily defaults for wsgi_socket_prefix
- Support multiple balancermembers with the same url
- Validate apache::vhost::custom_fragment
- Add support for itk with mod_php
- Allow apache::vhost::ssl_certs_dir to not be set
- Improved passenger support for Debian
- Improved 2.4 support without mod_access_compat
- Support for more than one 'Allow from'-directive in _directories.erb
- Don't load systemd on Amazon linux based on CentOS6 with apache 2.4
- Fix missing newline in ModPagespeed filter and memcached servers directive
- Use interpolated strings instead of numbers where required by future parser
- Make auth_require take precedence over default with apache 2.4
- Lint fixes
- Set default for php_admin_flags and php_admin_values to be empty hash instead of empty array
- Correct typo in mod::pagespeed
- spec_helper fixes
- Install mod packages before dealing with the configuration
- Use absolute scope to check class definition in apache::mod::php
- Fix dependency loop in apache::vhost
- Properly scope variables in the inline template in apache::balancer
- Documentation clarification, typos, and formatting
- Set apache::mod::ssl::ssl_mutex to default for debian on apache >= 2.4
- Strict variables fixes
- Add authn_core mode to Ubuntu trusty defaults
- Keep default loadfile for authz_svn on Debian
- Remove '.conf' from the site-include regexp for better Ubuntu/Debian support
- Load unixd before fcgid for EL7
- Fix RedirectMatch rules
- Fix misleading error message in apache::version
Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
Supported Release 1.1.1
Summary
This release merely updates metadata.json so the module can be uninstalled and upgraded via the puppet module command.
Supported Release 1.1.0
Summary
This release primarily focuses on extending the httpd 2.4 support, tested through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger 4 support, as well as several new modules and important bugfixes.
Features
- Add support for RHEL7 and Ubuntu 14.04
- More complete apache24 support
- Passenger 4 support
- Add support for max_keepalive_requests and log_formats parameters
- Add mod_pagespeed support
- Add mod_speling support
- Added several parameters for mod_passenger
- Added ssl_cipher parameter to apache::mod::ssl
- Improved examples in documentation
- Added docroot_mode, action, and suexec_user_group parameters to apache::vhost
- Add support for custom extensions for mod_php
- Improve proxy_html support for Debian
Bugfixes
- Remove NameVirtualHost directive for apache >= 2.4
- Order proxy_set option so it doesn't change between runs
- Fix inverted SSL compression
- Fix missing ensure on concat::fragment resources
- Fix bad dependencies in apache::mod and apache::mod::mime
Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
Supported Release 1.0.1
Summary
This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath.
Features
Bugfixes
Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
Supported Release 1.0.0
Summary
This is a supported release. This release introduces Apache 2.4 support for Debian and RHEL based osfamilies.
Features
- Add apache24 support
- Add rewrite_base functionality to rewrites
- Updated README documentation
- Add WSGIApplicationGroup and WSGIImportScript directives
Bugfixes
- Replace mutating hashes with merge() for Puppet 3.5
- Fix WSGI import_script and mod_ssl issues on Lucid
Known Bugs
- By default, the version of Apache that ships with Ubuntu 10.04 does not work with
wsgi_import_script
. - SLES is unsupported.
Supported Release 0.11.0
Summary:
This release adds preliminary support for Windows compatibility and multiple rewrite support.
Backwards-incompatible Changes:
- The rewrite_rule parameter is deprecated in favor of the new rewrite parameter and will be removed in a future release.
Features:
- add Match directive
- quote paths for windows compatibility
- add auth_group_file option to README.md
- allow AuthGroupFile directive for vhosts
- Support Header directives in vhost context
- Don't purge mods-available dir when separate enable dir is used
- Fix the servername used in log file name
- Added support for mod_include
- Remove index parameters.
- Support environment variable control for CustomLog
- added redirectmatch support
- Setting up the ability to do multiple rewrites and conditions.
- Convert spec tests to beaker.
- Support phpadmin(flag|value)s
Bugfixes:
- directories are either a Hash or an Array of Hashes
- Configure Passenger in separate .conf file on RH so PassengerRoot isn't lost
- (docs) Update list of
apache::mod::[name]
classes - (docs) Fix apache::namevirtualhost example call style
- Fix $ports_file reference in apache::listen.
- Fix $ports_file reference in Namevirtualhost.
Supported Release 0.10.0
Summary:
This release adds FreeBSD osfamily support and various other improvements to some mods.
Features:
- Add suPHP_UserGroup directive to directory context
- Add support for ScriptAliasMatch directives
- Set SSLOptions StdEnvVars in server context
- No implicit entry for ScriptAlias path
- Add support for overriding ErrorDocument
- Add support for AliasMatch directives
- Disable default "allow from all" in vhost-directories
- Add WSGIPythonPath as an optional parameter to mod_wsgi.
- Add mod_rpaf support
- Add directives: IndexOptions, IndexOrderDefault
- Add ability to include additional external configurations in vhost
- need to use the provider variable not the provider key value from the directory hash for matches
- Support for FreeBSD and few other features
- Add new params to apache::mod::mime class
- Allow apache::mod to specify module id and path
- added $server_root parameter
- Add Allow and ExtendedStatus support to mod_status
- Expand vhost/_directories.pp directive support
- Add initial support for nss module (no directives in vhost template yet)
- added peruser and event mpms
- added $service_name parameter
- add parameter for TraceEnable
- Make LogLevel configurable for server and vhost
- Add documentation about $ip
- Add ability to pass ip (instead of wildcard) in default vhost files
Bugfixes:
- Don't listen on port or set NameVirtualHost for non-existent vhost
- only apply Directory defaults when provider is a directory
- Working mod_authnz_ldap support on Debian/Ubuntu
Supported Release 0.9.0
Summary:
This release adds more parameters to the base apache class and apache defined resource to make the module more flexible. It also adds or enhances SuPHP, WSGI, and Passenger mod support, and support for the ITK mpm module.
Backwards-incompatible Changes:
- Remove many default mods that are not normally needed.
- Remove
rewrite_base
apache::vhost
parameter; did not work anyway. - Specify dependencies on stdlib >=2.4.0 (this was already the case, but making explicit)
- Deprecate
a2mod
in favor of theapache::mod::*
classes andapache::mod
defined resource.
Features:
apache
class- Add
httpd_dir
parameter to change the location of the configuration files. - Add
logroot
parameter to change the logroot - Add
ports_file
parameter to changes theports.conf
file location - Add
keepalive
parameter to enable persistent connections - Add
keepalive_timeout
parameter to change the timeout - Update
default_mods
to be able to take an array of mods to enable.
- Add
apache::vhost
- Add
wsgi_daemon_process
,wsgi_daemon_process_options
,wsgi_process_group
, andwsgi_script_aliases
parameters for per-vhost WSGI configuration. - Add
access_log_syslog
parameter to enable syslogging. - Add
error_log_syslog
parameter to enable syslogging of errors. - Add
directories
hash parameter. Please see README for documentation. - Add
sslproxyengine
parameter to enable SSLProxyEngine - Add
suphp_addhandler
,suphp_engine
, andsuphp_configpath
for configuring SuPHP. - Add
custom_fragment
parameter to allow for arbitrary apache configuration injection. (Feature pull requests are prefered over using this, but it is available in a pinch.)
- Add
- Add
apache::mod::suphp
class for configuring SuPHP. - Add
apache::mod::itk
class for configuring ITK mpm module. - Update
apache::mod::wsgi
class for global WSGI configuration withwsgi_socket_prefix
andwsgi_python_home
parameters. - Add README.passenger.md to document the
apache::mod::passenger
usage. Addedpassenger_high_performance
,passenger_pool_idle_time
,passenger_max_requests
,passenger_stat_throttle_rate
,rack_autodetect
, andrails_autodetect
parameters. - Separate the httpd service resource into a new
apache::service
class for dependency chaining ofClass['apache'] -> <resource> ~> Class['apache::service']
- Added
apache::mod::proxy_balancer
class forapache::balancer
Bugfixes:
- Change dependency to puppetlabs-concat
- Fix ruby 1.9 bug for
a2mod
- Change servername to be
$::hostname
if there is no$::fqdn
- Make
/etc/ssl/certs
the default ssl certs directory for RedHat non-5. - Make
php
the default php package for RedHat non-5. - Made
aliases
able to take a single alias hash instead of requiring an array.
Supported Release 0.8.1
Bugfixes:
- Update
apache::mpm_module
detection for worker/prefork - Update
apache::mod::cgi
andapache::mod::cgid
detection for worker/prefork
Supported Release 0.8.0
Features:
- Add
servername
parameter toapache
class - Add
proxy_set
parameter toapache::balancer
define
Bugfixes:
- Fix ordering for multiple
apache::balancer
clusters - Fix symlinking for sites-available on Debian-based OSs
- Fix dependency ordering for recursive confdir management
- Fix
apache::mod::*
to notify the service on config change - Documentation updates
Supported Release 0.7.0
Changes:
- Essentially rewrite the module -- too many to list
apache::vhost
has many abilities -- see README.md for detailsapache::mod::*
classes provide httpd mod-loading capabilitiesapache
base class is much more configurable
Bugfixes:
- Many. And many more to come
Supported Release 0.6.0
- update travis tests (add more supported versions)
- add access log_parameter
- make purging of vhost dir configurable
Supported Release 0.4.0
Changes:
include apache
is now required when usingapache::mod::*
Bugfixes:
- Fix syntax for validate_re
- Fix formatting in vhost template
- Fix spec tests such that they pass
Supported Release 0.0.4
- e62e362 Fix broken tests for ssl, vhost, vhost::*
- 42c6363 Changes to match style guide and pass puppet-lint without error
- 42bc8ba changed name => path for file resources in order to name namevar by it's name
- 72e13de One end too much
- 0739641 style guide fixes: 'true' <> true, $operatingsystem needs to be $::operatingsystem, etc.
- 273f94d fix tests
- a35ede5 (#13860) Make a2enmod/a2dismo commands optional
- 98d774e (#13860) Autorequire Package['httpd']
- 05fcec5 (#13073) Add missing puppet spec tests
- 541afda (#6899) Remove virtual a2mod definition
- 976cb69 (#13072) Move mod python and wsgi package names to params
- 323915a (#13060) Add .gitignore to repo
- fdf40af (#13060) Remove pkg directory from source tree
- fd90015 Add LICENSE file and update the ModuleFile
- d3d0d23 Re-enable local php class
- d7516c7 Make management of firewalls configurable for vhosts
- 60f83ba Explicitly lookup scope of apache_name in templates.
- f4d287f (#12581) Add explicit ordering for vdir directory
- 88a2ac6 (#11706) puppetlabs-apache depends on puppetlabs-firewall
- a776a8b (#11071) Fix to work with latest firewall module
- 2b79e8b (#11070) Add support for Scientific Linux
- 405b3e9 Fix for a2mod
- 57b9048 Commit apache::vhost::redirect Manifest
- 8862d01 Commit apache::vhost::proxy Manifest
- d5c1fd0 Commit apache::mod::wsgi Manifest
- a825ac7 Commit apache::mod::python Manifest
- b77062f Commit Templates
- 9a51b4a Vhost File Declarations
- 6cf7312 Defaults for Parameters
- 6a5b11a Ensure installed
- f672e46 a2mod fix
- 8a56ee9 add pthon support to apache
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 5.0.0)
- puppetlabs/concat (>= 2.2.1 < 5.0.0)
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.