diff --git a/manifests/default_mods.pp b/manifests/default_mods.pp
index 8e7b5d02..255c9239 100644
--- a/manifests/default_mods.pp
+++ b/manifests/default_mods.pp
@@ -1,186 +1,186 @@
# @summary
# Installs and congfigures default mods for Apache
#
# @api private
class apache::default_mods (
$all = true,
$mods = undef,
$apache_version = $apache::apache_version,
$use_systemd = $apache::use_systemd,
) {
# These are modules required to run the default configuration.
# They are not configurable at this time, so we just include
# them to make sure it works.
case $::osfamily {
'redhat': {
::apache::mod { 'log_config': }
if versioncmp($apache_version, '2.4') >= 0 {
# Lets fork it
# Do not try to load mod_systemd on RHEL/CentOS 6 SCL.
- if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon') ) {
+ if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemmajrelease, '7') == -1) and !($::operatingsystem == 'Amazon') ) {
if ($use_systemd) {
::apache::mod { 'systemd': }
}
}
if ($::operatingsystem == 'Amazon' and $::operatingsystemrelease == '2') {
::apache::mod { 'systemd': }
}
::apache::mod { 'unixd': }
}
}
'freebsd': {
::apache::mod { 'log_config': }
::apache::mod { 'unixd': }
}
'Suse': {
::apache::mod { 'log_config': }
}
default: {}
}
case $::osfamily {
'gentoo': {}
default: {
::apache::mod { 'authz_host': }
}
}
# The rest of the modules only get loaded if we want all modules enabled
if $all {
case $::osfamily {
'debian': {
include apache::mod::authn_core
include apache::mod::reqtimeout
if versioncmp($apache_version, '2.4') < 0 {
::apache::mod { 'authn_alias': }
}
}
'redhat': {
include apache::mod::actions
include apache::mod::authn_core
include apache::mod::cache
include apache::mod::ext_filter
include apache::mod::mime
include apache::mod::mime_magic
include apache::mod::rewrite
include apache::mod::speling
include apache::mod::suexec
include apache::mod::version
include apache::mod::vhost_alias
::apache::mod { 'auth_digest': }
::apache::mod { 'authn_anon': }
::apache::mod { 'authn_dbm': }
::apache::mod { 'authz_dbm': }
::apache::mod { 'authz_owner': }
::apache::mod { 'expires': }
::apache::mod { 'include': }
::apache::mod { 'logio': }
::apache::mod { 'substitute': }
::apache::mod { 'usertrack': }
if versioncmp($apache_version, '2.4') < 0 {
::apache::mod { 'authn_alias': }
::apache::mod { 'authn_default': }
}
}
'freebsd': {
include apache::mod::actions
include apache::mod::authn_core
include apache::mod::cache
include apache::mod::disk_cache
include apache::mod::headers
include apache::mod::info
include apache::mod::mime_magic
include apache::mod::reqtimeout
include apache::mod::rewrite
include apache::mod::userdir
include apache::mod::version
include apache::mod::vhost_alias
include apache::mod::speling
include apache::mod::filter
::apache::mod { 'asis': }
::apache::mod { 'auth_digest': }
::apache::mod { 'auth_form': }
::apache::mod { 'authn_anon': }
::apache::mod { 'authn_dbm': }
::apache::mod { 'authn_socache': }
::apache::mod { 'authz_dbd': }
::apache::mod { 'authz_dbm': }
::apache::mod { 'authz_owner': }
::apache::mod { 'dumpio': }
::apache::mod { 'expires': }
::apache::mod { 'file_cache': }
::apache::mod { 'imagemap': }
::apache::mod { 'include': }
::apache::mod { 'logio': }
::apache::mod { 'request': }
::apache::mod { 'session': }
::apache::mod { 'unique_id': }
}
default: {}
}
case $apache::mpm_module {
'prefork': {
include apache::mod::cgi
}
'worker': {
include apache::mod::cgid
}
default: {
# do nothing
}
}
include apache::mod::alias
include apache::mod::authn_file
include apache::mod::autoindex
include apache::mod::dav
include apache::mod::dav_fs
include apache::mod::deflate
include apache::mod::dir
include apache::mod::mime
include apache::mod::negotiation
include apache::mod::setenvif
::apache::mod { 'auth_basic': }
if versioncmp($apache_version, '2.4') >= 0 {
# filter is needed by mod_deflate
include apache::mod::filter
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
# lots of stuff seems to break without access_compat
::apache::mod { 'access_compat': }
} else {
include apache::mod::authz_default
}
include apache::mod::authz_user
::apache::mod { 'authz_groupfile': }
include apache::mod::env
} elsif $mods {
::apache::default_mods::load { $mods: }
if versioncmp($apache_version, '2.4') >= 0 {
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
# filter is needed by mod_deflate
include apache::mod::filter
}
} else {
if versioncmp($apache_version, '2.4') >= 0 {
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
# filter is needed by mod_deflate
include apache::mod::filter
}
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index cae2ba92..f01d101b 100755
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,866 +1,866 @@
# @summary
# Guides the basic setup and installation of Apache on your system.
#
# When this class is declared with the default options, Puppet:
# - Installs the appropriate Apache software package and [required Apache modules](#default_mods) for your operating system.
# - Places the required configuration files in a directory, with the [default location](#conf_dir) determined by your operating system.
# - Configures the server with a default virtual host and standard port (`80`) and address (`\*`) bindings.
# - Creates a document root directory determined by your operating system, typically `/var/www`.
# - Starts the Apache service.
#
# @example
# class { 'apache': }
#
# @param allow_encoded_slashes
# Sets the server default for the `AllowEncodedSlashes` declaration, which modifies the
# responses to URLs containing '\' and '/' characters. If not specified, this parameter omits
# the declaration from the server's configuration and uses Apache's default setting of 'off'.
#
# @param apache_version
# Configures module template behavior, package names, and default Apache modules by defining
# the version of Apache to use. We do not recommend manually configuring this parameter
# without reason.
#
# @param conf_dir
# Sets the directory where the Apache server's main configuration file is located.
#
# @param conf_template
# Defines the template used for the main Apache configuration file. Modifying this
# parameter is potentially risky, as the apache module is designed to use a minimal
# configuration file customized by `conf.d` entries.
#
# @param confd_dir
# Sets the location of the Apache server's custom configuration directory.
#
# @param default_charset
# Used as the `AddDefaultCharset` directive in the main configuration file.
#
# @param default_confd_files
# Determines whether Puppet generates a default set of includable Apache configuration files
# in the directory defined by the `confd_dir` parameter. These configuration files
# correspond to what is typically installed with the Apache package on the server's
# operating system.
#
# @param default_mods
# Determines whether to configure and enable a set of default Apache modules depending on
# your operating system.
# If `false`, Puppet includes only the Apache modules required to make the HTTP daemon work
# on your operating system, and you can declare any other modules separately using the
# `apache::mod::` class or `apache::mod` defined type.
# If `true`, Puppet installs additional modules, depending on the operating system and
# the values of `apache_version` and `mpm_module` parameters. Because these lists of
# modules can change frequently, consult the Puppet module's code for up-to-date lists.
# If this parameter contains an array, Puppet instead enables all passed Apache modules.
#
# @param default_ssl_ca
# Sets the default certificate authority for the Apache server.
# Although the default value results in a functioning Apache server, you **must** update
# this parameter with your certificate authority information before deploying this server in
# a production environment.
#
# @param default_ssl_cert
# Sets the SSL encryption certificate location.
# Although the default value results in a functioning Apache server, you **must** update this
# parameter with your certificate location before deploying this server in a production environment.
#
# @param default_ssl_chain
# Sets the default SSL chain location.
# Although this default value results in a functioning Apache server, you **must** update
# this parameter with your SSL chain before deploying this server in a production environment.
#
# @param default_ssl_crl
# Sets the path of the default certificate revocation list (CRL) file to use.
# Although this default value results in a functioning Apache server, you **must** update
# this parameter with the CRL file path before deploying this server in a production
# environment. You can use this parameter with or in place of the `default_ssl_crl_path`.
#
# @param default_ssl_crl_path
# Sets the server's certificate revocation list path, which contains your CRLs.
# Although this default value results in a functioning Apache server, you **must** update
# this parameter with the CRL file path before deploying this server in a production environment.
#
# @param default_ssl_crl_check
# Sets the default certificate revocation check level via the `SSLCARevocationCheck` directive.
# This parameter applies only to Apache 2.4 or higher and is ignored on older versions.
# Although this default value results in a functioning Apache server, you **must** specify
# this parameter when using certificate revocation lists in a production environment.
#
# @param default_ssl_key
# Sets the SSL certificate key file location.
# Although the default values result in a functioning Apache server, you **must** update
# this parameter with your SSL key's location before deploying this server in a production
# environment.
#
# @param default_ssl_vhost
# Configures a default SSL virtual host.
# If `true`, Puppet automatically configures the following virtual host using the
# `apache::vhost` defined type:
# ```puppet
# apache::vhost { 'default-ssl':
# port => 443,
# ssl => true,
# docroot => $docroot,
# scriptalias => $scriptalias,
# serveradmin => $serveradmin,
# access_log_file => "ssl_${access_log_file}",
# }
# ```
# **Note**: SSL virtual hosts only respond to HTTPS queries.
#
# @param default_type
# _Apache 2.2 only_. Sets the MIME `content-type` sent if the server cannot otherwise
# determine an appropriate `content-type`. This directive is deprecated in Apache 2.4 and
# newer, and is only for backwards compatibility in configuration files.
#
# @param default_vhost
# Configures a default virtual host when the class is declared.
# To configure customized virtual hosts, set this parameter's
# value to `false`.
# > **Note**: Apache will not start without at least one virtual host. If you set this
# to `false` you must configure a virtual host elsewhere.
#
# @param dev_packages
# Configures a specific dev package to use.
# For example, using httpd 2.4 from the IUS yum repo:
# ``` puppet
# include ::apache::dev
# class { 'apache':
# apache_name => 'httpd24u',
# dev_packages => 'httpd24u-devel',
# }
# ```
#
# @param docroot
# Sets the default `DocumentRoot` location.
#
# @param error_documents
# Determines whether to enable [custom error documents](https://httpd.apache.org/docs/current/custom-error.html) on the Apache server.
#
# @param group
# Sets the group ID that owns any Apache processes spawned to answer requests.
# By default, Puppet attempts to manage this group as a resource under the `apache`
# class, determining the group based on the operating system as detected by the
# `apache::params` class. To prevent the group resource from being created and use a group
# created by another Puppet module, set the `manage_group` parameter's value to `false`.
# > **Note**: Modifying this parameter only changes the group ID that Apache uses to spawn
# child processes to access resources. It does not change the user that owns the parent server
# process.
#
# @param httpd_dir
# Sets the Apache server's base configuration directory. This is useful for specially
# repackaged Apache server builds but might have unintended consequences when combined
# with the default distribution packages.
#
# @param http_protocol_options
# Specifies the strictness of HTTP protocol checks.
# Valid options: any sequence of the following alternative values: `Strict` or `Unsafe`,
# `RegisteredMethods` or `LenientMethods`, and `Allow0.9` or `Require1.0`.
#
# @param keepalive
# Determines whether to enable persistent HTTP connections with the `KeepAlive` directive.
# If you set this to `On`, use the `keepalive_timeout` and `max_keepalive_requests` parameters
# to set relevant options.
#
# @param keepalive_timeout
# Sets the `KeepAliveTimeout` directive, which determines the amount of time the Apache
# server waits for subsequent requests on a persistent HTTP connection. This parameter is
# only relevant if the `keepalive` parameter is enabled.
#
# @param max_keepalive_requests
# Limits the number of requests allowed per connection when the `keepalive` parameter is enabled.
#
# @param hostname_lookups
# This directive enables DNS lookups so that host names can be logged and passed to
# CGIs/SSIs in REMOTE_HOST.
# > **Note**: If enabled, it impacts performance significantly.
#
# @param ldap_trusted_mode
# The following modes are supported:
#
# NONE - no encryption
# SSL - ldaps:// encryption on default port 636
# TLS - STARTTLS encryption on default port 389
# Not all LDAP toolkits support all the above modes. An error message will be logged at
# runtime if a mode is not supported, and the connection to the LDAP server will fail.
#
#If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored.
#
# @param ldap_verify_server_cert
# Specifies whether to force the verification of a server certificate when establishing an SSL
# connection to the LDAP server.
# On|Off
#
# @param lib_path
# Specifies the location whereApache module files are stored.
# > **Note**: Do not configure this parameter manually without special reason.
#
# @param log_level
# Configures the apache [LogLevel](https://httpd.apache.org/docs/current/mod/core.html#loglevel) directive
# which adjusts the verbosity of the messages recorded in the error logs.
#
# @param log_formats
# Define additional `LogFormat` directives. Values: A hash, such as:
# ``` puppet
# $log_formats = { vhost_common => '%v %h %l %u %t \"%r\" %>s %b' }
# ```
# There are a number of predefined `LogFormats` in the `httpd.conf` that Puppet creates:
# ``` httpd
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %l %u %t \"%r\" %>s %b" common
# LogFormat "%{Referer}i -> %U" referer
# LogFormat "%{User-agent}i" agent
# LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded
# ```
# If your `log_formats` parameter contains one of those, it will be overwritten with **your** definition.
#
# @param logroot
# Changes the directory of Apache log files for the virtual host.
#
# @param logroot_mode
# Overrides the default `logroot` directory's mode.
# > **Note**: Do _not_ grant write access to the directory where the logs are stored
# without being aware of the consequences. See the [Apache documentation](https://httpd.apache.org/docs/current/logs.html#security)
# for details.
#
# @param manage_group
# When `false`, stops Puppet from creating the group resource.
# If you have a group created from another Puppet module that you want to use to run Apache,
# set this to `false`. Without this parameter, attempting to use a previously established
# group results in a duplicate resource error.
#
# @param supplementary_groups
# A list of groups to which the user belongs. These groups are in addition to the primary group.
# Notice: This option only has an effect when `manage_user` is set to true.
#
# @param manage_user
# When `false`, stops Puppet from creating the user resource.
# This is for instances when you have a user, created from another Puppet module, you want
# to use to run Apache. Without this parameter, attempting to use a previously established
# user would result in a duplicate resource error.
#
# @param mod_dir
# Sets where Puppet places configuration files for your Apache modules.
#
# @param mod_libs
# Allows the user to override default module library names.
# ```puppet
# include apache::params
# class { 'apache':
# mod_libs => merge($::apache::params::mod_libs, {
# 'wsgi' => 'mod_wsgi_python3.so',
# })
# }
# ```
#
# @param mod_packages
# Allows the user to override default module package names.
# ```puppet
# include apache::params
# class { 'apache':
# mod_packages => merge($::apache::params::mod_packages, {
# 'auth_kerb' => 'httpd24-mod_auth_kerb',
# })
# }
# ```
#
# @param mpm_module
# Determines which [multi-processing module](https://httpd.apache.org/docs/current/mpm.html) (MPM) is loaded and configured for the
# HTTPD process. Valid values are: `event`, `itk`, `peruser`, `prefork`, `worker` or `false`.
# You must set this to `false` to explicitly declare the following classes with custom parameters:
# - `apache::mod::event`
# - `apache::mod::itk`
# - `apache::mod::peruser`
# - `apache::mod::prefork`
# - `apache::mod::worker`
#
# @param package_ensure
# Controls the `package` resource's `ensure` attribute. Valid values are: `absent`, `installed`
# (or equivalent `present`), or a version string.
#
# @param pidfile
# Allows settting a custom location for the pid file. Useful if using a custom-built Apache rpm.
#
# @param ports_file
# Sets the path to the file containing Apache ports configuration.
#
# @param protocols
# Sets the [Protocols](https://httpd.apache.org/docs/current/en/mod/core.html#protocols)
# directive, which lists available protocols for the server.
#
# @param protocols_honor_order
# Sets the [ProtocolsHonorOrder](https://httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder)
# directive which determines whether the order of Protocols sets precedence during negotiation.
#
# @param purge_configs
# Removes all other Apache configs and virtual hosts.
# Setting this to `false` is a stopgap measure to allow the apache module to coexist with
# existing or unmanaged configurations. We recommend moving your configuration to resources
# within this module. For virtual host configurations, see `purge_vhost_dir`.
#
# @param purge_vhost_dir
# If the `vhost_dir` parameter's value differs from the `confd_dir` parameter's, this parameter
# determines whether Puppet removes any configurations inside `vhost_dir` that are _not_ managed
# by Puppet.
# Setting `purge_vhost_dir` to `false` is a stopgap measure to allow the apache module to
# coexist with existing or otherwise unmanaged configurations within `vhost_dir`.
#
# @param rewrite_lock
# Allows setting a custom location for a rewrite lock - considered best practice if using
# a RewriteMap of type prg in the `rewrites` parameter of your virtual host. This parameter
# only applies to Apache version 2.2 or lower and is ignored on newer versions.
#
# @param sendfile
# Forces Apache to use the Linux kernel's `sendfile` support to serve static files, via the
# `EnableSendfile` directive.
#
# @param serveradmin
# Sets the Apache server administrator's contact information via Apache's `ServerAdmin` directive.
#
# @param servername
# Sets the Apache server name via Apache's `ServerName` directive.
# Setting to `false` will not set ServerName at all.
#
# @param server_root
# Sets the Apache server's root directory via Apache's `ServerRoot` directive.
#
# @param server_signature
# Configures a trailing footer line to display at the bottom of server-generated documents,
# such as error documents and output of certain Apache modules, via Apache's `ServerSignature`
# directive. Valid values are: `On` or `Off`.
#
# @param server_tokens
# Controls how much information Apache sends to the browser about itself and the operating
# system, via Apache's `ServerTokens` directive.
#
# @param service_enable
# Determines whether Puppet enables the Apache HTTPD service when the system is booted.
#
# @param service_ensure
# Determines whether Puppet should make sure the service is running.
# Valid values are: `true` (or `running`) or `false` (or `stopped`).
# The `false` or `stopped` values set the 'httpd' service resource's `ensure` parameter
# to `false`, which is useful when you want to let the service be managed by another
# application, such as Pacemaker.
#
# @param service_name
# Sets the name of the Apache service.
#
# @param service_manage
# Determines whether Puppet manages the HTTPD service's state.
#
# @param service_restart
# Determines whether Puppet should use a specific command to restart the HTTPD service.
# Values: a command to restart the Apache service.
#
# @param timeout
# Sets Apache's `TimeOut` directive, which defines the number of seconds Apache waits for
# certain events before failing a request.
#
# @param trace_enable
# Controls how Apache handles `TRACE` requests (per RFC 2616) via the `TraceEnable` directive.
#
# @param use_canonical_name
# Controls Apache's `UseCanonicalName` directive which controls how Apache handles
# self-referential URLs. If not specified, this parameter omits the declaration from the
# server's configuration and uses Apache's default setting of 'off'.
#
# @param use_systemd
# Controls whether the systemd module should be installed on Centos 7 servers, this is
# especially useful if using custom-built RPMs.
#
# @param file_mode
# Sets the desired permissions mode for config files.
# Valid values are: a string, with permissions mode in symbolic or numeric notation.
#
# @param root_directory_options
# Array of the desired options for the `/` directory in httpd.conf.
#
# @param root_directory_secured
# Sets the default access policy for the `/` directory in httpd.conf. A value of `false`
# allows access to all resources that are missing a more specific access policy. A value of
# `true` denies access to all resources by default. If `true`, more specific rules must be
# used to allow access to these resources (for example, in a directory block using the
# `directories` parameter).
#
# @param vhost_dir
# Changes your virtual host configuration files' location.
#
# @param vhost_include_pattern
# Defines the pattern for files included from the `vhost_dir`.
# If set to a value like `[^.#]\*.conf[^~]` to make sure that files accidentally created in
# this directory (such as files created by version control systems or editor backups) are
# *not* included in your server configuration.
# Some operating systems use a value of `*.conf`. By default, this module creates configuration
# files ending in `.conf`.
#
# @param user
# Changes the user that Apache uses to answer requests. Apache's parent process continues
# to run as root, but child processes access resources as the user defined by this parameter.
# To prevent Puppet from managing the user, set the `manage_user` parameter to `false`.
#
# @param apache_name
# The name of the Apache package to install. If you are using a non-standard Apache package
# you might need to override the default setting.
# For CentOS/RHEL Software Collections (SCL), you can also use `apache::version::scl_httpd_version`.
#
# @param error_log
# The name of the error log file for the main server instance. If the string starts with
# `/`, `|`, or `syslog`: the full path is set. Otherwise, the filename is prefixed with
# `$logroot`.
#
# @param scriptalias
# Directory to use for global script alias
#
# @param access_log_file
# The name of the access log file for the main server instance.
#
# @param limitreqfields
# The `limitreqfields` parameter sets the maximum number of request header fields in
# an HTTP request. This directive gives the server administrator greater control over
# abnormal client request behavior, which may be useful for avoiding some forms of
# denial-of-service attacks. The value should be increased if normal clients see an error
# response from the server that indicates too many fields were sent in the request.
#
# @param limitreqfieldsize
# The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will
# be allowed within a request header.
#
# @param ip
# Specifies the ip address
#
# @param purge_vdir
# Removes all other Apache configs and virtual hosts.
# > **Note**: This parameter is deprecated in favor of the `purge_config` parameter.
#
# @param conf_enabled
# Whether the additional config files in `/etc/apache2/conf-enabled` should be managed.
#
# @param vhost_enable_dir
# Set's whether the vhost definitions will be stored in sites-availible and if
# they will be symlinked to and from sites-enabled.
#
# @param mod_enable_dir
# Set's whether the mods-enabled directory should be managed.
#
# @param ssl_file
# This parameter allows you to set an ssl.conf file to be managed in order to implement
# an SSL Certificate.
#
# @param file_e_tag
# Sets the server default for the `FileETag` declaration, which modifies the response header
# field for static files.
#
# @param use_optional_includes
# Specifies whether Apache uses the `IncludeOptional` directive instead of `Include` for
# `additional_includes` in Apache 2.4 or newer.
#
# @param mime_types_additional
# Specifies any idditional Internet media (mime) types that you wish to be configured.
#
class apache (
$apache_name = $apache::params::apache_name,
$service_name = $apache::params::service_name,
$default_mods = true,
Boolean $default_vhost = true,
$default_charset = undef,
Boolean $default_confd_files = true,
Boolean $default_ssl_vhost = false,
$default_ssl_cert = $apache::params::default_ssl_cert,
$default_ssl_key = $apache::params::default_ssl_key,
$default_ssl_chain = undef,
$default_ssl_ca = undef,
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$default_ssl_crl_check = undef,
$default_type = 'none',
$dev_packages = $apache::params::dev_packages,
$ip = undef,
Boolean $service_enable = true,
Boolean $service_manage = true,
$service_ensure = 'running',
$service_restart = undef,
$purge_configs = true,
$purge_vhost_dir = undef,
$purge_vdir = false,
$serveradmin = 'root@localhost',
Enum['On', 'Off', 'on', 'off'] $sendfile = 'On',
$ldap_verify_server_cert = undef,
$ldap_trusted_mode = undef,
$error_documents = false,
$timeout = '60',
$httpd_dir = $apache::params::httpd_dir,
$server_root = $apache::params::server_root,
$conf_dir = $apache::params::conf_dir,
$confd_dir = $apache::params::confd_dir,
Enum['Off', 'On', 'Double', 'off', 'on', 'double'] $hostname_lookups = $apache::params::hostname_lookups,
$conf_enabled = $apache::params::conf_enabled,
$vhost_dir = $apache::params::vhost_dir,
$vhost_enable_dir = $apache::params::vhost_enable_dir,
$mod_libs = $apache::params::mod_libs,
$mod_packages = $apache::params::mod_packages,
$vhost_include_pattern = $apache::params::vhost_include_pattern,
$mod_dir = $apache::params::mod_dir,
$mod_enable_dir = $apache::params::mod_enable_dir,
$mpm_module = $apache::params::mpm_module,
$lib_path = $apache::params::lib_path,
$conf_template = $apache::params::conf_template,
$servername = $apache::params::servername,
$pidfile = $apache::params::pidfile,
Optional[Stdlib::Absolutepath] $rewrite_lock = undef,
Boolean $manage_user = true,
Boolean $manage_group = true,
$user = $apache::params::user,
$group = $apache::params::group,
$http_protocol_options = $apache::params::http_protocol_options,
$supplementary_groups = [],
$keepalive = $apache::params::keepalive,
$keepalive_timeout = $apache::params::keepalive_timeout,
$max_keepalive_requests = $apache::params::max_keepalive_requests,
$limitreqfieldsize = '8190',
$limitreqfields = '100',
$logroot = $apache::params::logroot,
$logroot_mode = $apache::params::logroot_mode,
Apache::LogLevel $log_level = $apache::params::log_level,
$log_formats = {},
$ssl_file = undef,
$ports_file = $apache::params::ports_file,
$docroot = $apache::params::docroot,
$apache_version = $apache::version::default,
$server_tokens = 'Prod',
$server_signature = 'On',
$trace_enable = 'On',
Optional[Enum['on', 'off', 'nodecode']] $allow_encoded_slashes = undef,
$file_e_tag = undef,
Optional[Enum['On', 'on', 'Off', 'off', 'DNS', 'dns']]
$use_canonical_name = undef,
$package_ensure = 'installed',
Boolean $use_optional_includes = $apache::params::use_optional_includes,
$use_systemd = $apache::params::use_systemd,
$mime_types_additional = $apache::params::mime_types_additional,
$file_mode = $apache::params::file_mode,
$root_directory_options = $apache::params::root_directory_options,
Boolean $root_directory_secured = false,
$error_log = $apache::params::error_log,
$scriptalias = $apache::params::scriptalias,
$access_log_file = $apache::params::access_log_file,
Array[Enum['h2', 'h2c', 'http/1.1']] $protocols = [],
Optional[Boolean] $protocols_honor_order = undef,
) inherits ::apache::params {
$valid_mpms_re = $apache_version ? {
'2.4' => '(event|itk|peruser|prefork|worker)',
default => '(event|itk|prefork|worker)'
}
- if $::osfamily == 'RedHat' and $apache::version::distrelease == '7' {
+ if $::osfamily == 'RedHat' and $facts['operatingsystemmajrelease'] == '7' {
# On redhat 7 the ssl.conf lives in /etc/httpd/conf.d (the confd_dir)
# when all other module configs live in /etc/httpd/conf.modules.d (the
# mod_dir). On all other platforms and versions, ssl.conf lives in the
# mod_dir. This should maintain the expected location of ssl.conf
$_ssl_file = $ssl_file ? {
undef => "${apache::confd_dir}/ssl.conf",
default => $ssl_file
}
} else {
$_ssl_file = $ssl_file ? {
undef => "${apache::mod_dir}/ssl.conf",
default => $ssl_file
}
}
if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans
assert_type(Pattern[$valid_mpms_re], $mpm_module)
}
# NOTE: on FreeBSD it's mpm module's responsibility to install httpd package.
# NOTE: the same strategy may be introduced for other OSes. For this, you
# should delete the 'if' block below and modify all MPM modules' manifests
# such that they include apache::package class (currently event.pp, itk.pp,
# peruser.pp, prefork.pp, worker.pp).
if $::osfamily != 'FreeBSD' {
package { 'httpd':
ensure => $package_ensure,
name => $apache_name,
notify => Class['Apache::Service'],
}
}
# declare the web server user and group
# Note: requiring the package means the package ought to create them and not puppet
if $manage_user {
user { $user:
ensure => present,
gid => $group,
groups => $supplementary_groups,
require => Package['httpd'],
}
}
if $manage_group {
group { $group:
ensure => present,
require => Package['httpd'],
}
}
class { 'apache::service':
service_name => $service_name,
service_enable => $service_enable,
service_manage => $service_manage,
service_ensure => $service_ensure,
service_restart => $service_restart,
}
# Deprecated backwards-compatibility
if $purge_vdir {
warning('Class[\'apache\'] parameter purge_vdir is deprecated in favor of purge_configs')
$purge_confd = $purge_vdir
} else {
$purge_confd = $purge_configs
}
# Set purge vhostd appropriately
if $purge_vhost_dir == undef {
$purge_vhostd = $purge_confd
} else {
$purge_vhostd = $purge_vhost_dir
}
Exec {
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
exec { "mkdir ${confd_dir}":
creates => $confd_dir,
require => Package['httpd'],
}
file { $confd_dir:
ensure => directory,
recurse => true,
purge => $purge_confd,
force => $purge_confd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
if $conf_enabled and ! defined(File[$conf_enabled]) {
file { $conf_enabled:
ensure => directory,
recurse => true,
purge => $purge_confd,
force => $purge_confd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
}
if ! defined(File[$mod_dir]) {
exec { "mkdir ${mod_dir}":
creates => $mod_dir,
require => Package['httpd'],
}
# Don't purge available modules if an enable dir is used
$purge_mod_dir = $purge_configs and !$mod_enable_dir
file { $mod_dir:
ensure => directory,
recurse => true,
purge => $purge_mod_dir,
notify => Class['Apache::Service'],
require => Package['httpd'],
before => Anchor['::apache::modules_set_up'],
}
}
if $mod_enable_dir and ! defined(File[$mod_enable_dir]) {
$mod_load_dir = $mod_enable_dir
exec { "mkdir ${mod_enable_dir}":
creates => $mod_enable_dir,
require => Package['httpd'],
}
file { $mod_enable_dir:
ensure => directory,
recurse => true,
purge => $purge_configs,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
} else {
$mod_load_dir = $mod_dir
}
if ! defined(File[$vhost_dir]) {
exec { "mkdir ${vhost_dir}":
creates => $vhost_dir,
require => Package['httpd'],
}
file { $vhost_dir:
ensure => directory,
recurse => true,
purge => $purge_vhostd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
}
if $vhost_enable_dir and ! defined(File[$vhost_enable_dir]) {
$vhost_load_dir = $vhost_enable_dir
exec { "mkdir ${vhost_load_dir}":
creates => $vhost_load_dir,
require => Package['httpd'],
}
file { $vhost_enable_dir:
ensure => directory,
recurse => true,
purge => $purge_vhostd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
} else {
$vhost_load_dir = $vhost_dir
}
concat { $ports_file:
ensure => present,
owner => 'root',
group => $apache::params::root_group,
mode => $apache::file_mode,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
concat::fragment { 'Apache ports header':
target => $ports_file,
content => template('apache/ports_header.erb'),
}
if $apache::conf_dir and $apache::params::conf_file {
if $::osfamily == 'gentoo' {
$error_documents_path = '/usr/share/apache2/error'
if $default_mods =~ Array {
if versioncmp($apache_version, '2.4') >= 0 {
if defined('apache::mod::ssl') {
::portage::makeconf { 'apache2_modules':
content => concat($default_mods, ['authz_core', 'socache_shmcb']),
}
} else {
::portage::makeconf { 'apache2_modules':
content => concat($default_mods, 'authz_core'),
}
}
} else {
::portage::makeconf { 'apache2_modules':
content => $default_mods,
}
}
}
file { [
'/etc/apache2/modules.d/.keep_www-servers_apache-2',
'/etc/apache2/vhosts.d/.keep_www-servers_apache-2',
]:
ensure => absent,
require => Package['httpd'],
}
}
$apxs_workaround = $::osfamily ? {
'freebsd' => true,
default => false
}
# Template uses:
# - $pidfile
# - $user
# - $group
# - $logroot
# - $error_log
# - $sendfile
# - $mod_dir
# - $ports_file
# - $confd_dir
# - $vhost_dir
# - $error_documents
# - $error_documents_path
# - $apxs_workaround
# - $http_protocol_options
# - $keepalive
# - $keepalive_timeout
# - $max_keepalive_requests
# - $server_root
# - $server_tokens
# - $server_signature
# - $trace_enable
# - $rewrite_lock
# - $root_directory_secured
file { "${apache::conf_dir}/${apache::params::conf_file}":
ensure => file,
mode => $apache::file_mode,
content => template($conf_template),
notify => Class['Apache::Service'],
require => [Package['httpd'], Concat[$ports_file]],
}
# preserve back-wards compatibility to the times when default_mods was
# only a boolean value. Now it can be an array (too)
if $default_mods =~ Array {
class { 'apache::default_mods':
all => false,
mods => $default_mods,
}
} else {
class { 'apache::default_mods':
all => $default_mods,
}
}
class { 'apache::default_confd_files':
all => $default_confd_files,
}
if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans
include "::apache::mod::${mpm_module}"
}
$default_vhost_ensure = $default_vhost ? {
true => 'present',
false => 'absent'
}
$default_ssl_vhost_ensure = $default_ssl_vhost ? {
true => 'present',
false => 'absent'
}
::apache::vhost { 'default':
ensure => $default_vhost_ensure,
port => '80',
docroot => $docroot,
scriptalias => $scriptalias,
serveradmin => $serveradmin,
access_log_file => $access_log_file,
priority => '15',
ip => $ip,
logroot_mode => $logroot_mode,
manage_docroot => $default_vhost,
use_servername_for_filenames => true,
use_port_for_filenames => true,
}
$ssl_access_log_file = $::osfamily ? {
'freebsd' => $access_log_file,
default => "ssl_${access_log_file}",
}
::apache::vhost { 'default-ssl':
ensure => $default_ssl_vhost_ensure,
port => '443',
ssl => true,
docroot => $docroot,
scriptalias => $scriptalias,
serveradmin => $serveradmin,
access_log_file => $ssl_access_log_file,
priority => '15',
ip => $ip,
logroot_mode => $logroot_mode,
manage_docroot => $default_ssl_vhost,
use_servername_for_filenames => true,
use_port_for_filenames => true,
}
}
# This anchor can be used as a reference point for things that need to happen *after*
# all modules have been put in place.
anchor { '::apache::modules_set_up': }
}
diff --git a/manifests/mod/fastcgi.pp b/manifests/mod/fastcgi.pp
index d24dcbf0..a3445c91 100644
--- a/manifests/mod/fastcgi.pp
+++ b/manifests/mod/fastcgi.pp
@@ -1,35 +1,35 @@
# @summary
# Installs `mod_fastcgi`.
#
# @see https://github.com/FastCGI-Archives/mod_fastcgi for additional documentation.
#
class apache::mod::fastcgi {
include apache
- if ($::osfamily == 'Redhat' and versioncmp($::operatingsystemrelease, '7.0') >= 0) {
+ if ($::osfamily == 'Redhat' and versioncmp($::operatingsystemmajrelease, '7') >= 0) {
fail('mod_fastcgi is no longer supported on el7 and above.')
}
if ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['major'], '18.04') >= 0) {
fail('mod_fastcgi is no longer supported on Ubuntu 18.04 and above. Please use mod_proxy_fcgi')
}
# Debian specifies it's fastcgi lib path, but RedHat uses the default value
# with no config file
$fastcgi_lib_path = $apache::params::fastcgi_lib_path
::apache::mod { 'fastcgi': }
if $fastcgi_lib_path {
# Template uses:
# - $fastcgi_server
# - $fastcgi_socket
# - $fastcgi_dir
file { 'fastcgi.conf':
ensure => file,
path => "${apache::mod_dir}/fastcgi.conf",
mode => $apache::file_mode,
content => template('apache/mod/fastcgi.conf.erb'),
require => Exec["mkdir ${apache::mod_dir}"],
before => File[$apache::mod_dir],
notify => Class['apache::service'],
}
}
}
diff --git a/manifests/mod/proxy_html.pp b/manifests/mod/proxy_html.pp
index 22a57664..0205af84 100644
--- a/manifests/mod/proxy_html.pp
+++ b/manifests/mod/proxy_html.pp
@@ -1,60 +1,60 @@
# @summary
# Installs `mod_proxy_html`.
#
# @see https://httpd.apache.org/docs/current/mod/mod_proxy_html.html for additional documentation.
#
class apache::mod::proxy_html {
include apache
Class['::apache::mod::proxy'] -> Class['::apache::mod::proxy_html']
Class['::apache::mod::proxy_http'] -> Class['::apache::mod::proxy_html']
# Add libxml2
case $::osfamily {
/RedHat|FreeBSD|Gentoo|Suse/: {
::apache::mod { 'xml2enc': }
$loadfiles = undef
}
'Debian': {
$gnu_path = $::hardwaremodel ? {
'i686' => 'i386',
default => $::hardwaremodel,
}
case $::operatingsystem {
'Ubuntu': {
- $loadfiles = $apache::params::distrelease ? {
+ $loadfiles = $facts['operatingsystemmajrelease'] ? {
'10' => ['/usr/lib/libxml2.so.2'],
default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"],
}
}
'Debian': {
- $loadfiles = $apache::params::distrelease ? {
+ $loadfiles = $facts['operatingsystemmajrelease'] ? {
'6' => ['/usr/lib/libxml2.so.2'],
default => ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"],
}
}
default: {
$loadfiles = ["/usr/lib/${gnu_path}-linux-gnu/libxml2.so.2"]
}
}
if versioncmp($apache::apache_version, '2.4') >= 0 {
::apache::mod { 'xml2enc': }
}
}
default: {}
}
::apache::mod { 'proxy_html':
loadfiles => $loadfiles,
}
# Template uses $icons_path
file { 'proxy_html.conf':
ensure => file,
path => "${apache::mod_dir}/proxy_html.conf",
mode => $apache::file_mode,
content => template('apache/mod/proxy_html.conf.erb'),
require => Exec["mkdir ${apache::mod_dir}"],
before => File[$apache::mod_dir],
notify => Class['apache::service'],
}
}
diff --git a/manifests/params.pp b/manifests/params.pp
index bad6f3e5..d26227cf 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -1,798 +1,798 @@
# @summary
# This class manages Apache parameters
#
# @api private
class apache::params inherits ::apache::version {
if($::fqdn) {
$servername = $::fqdn
} else {
$servername = $::hostname
}
# The default error log level
$log_level = 'warn'
$use_optional_includes = false
# Default mime types settings
$mime_types_additional = {
'AddHandler' => { 'type-map' => 'var', },
'AddType' => { 'text/html' => '.shtml', },
'AddOutputFilter' => { 'INCLUDES' => '.shtml', },
}
# should we use systemd module?
$use_systemd = true
# Default mode for files
$file_mode = '0644'
# The default value for host hame lookup
$hostname_lookups = 'Off'
# Default options for / directory
$root_directory_options = ['FollowSymLinks']
$vhost_include_pattern = '*'
$modsec_audit_log_parts = 'ABIJDEFHZ'
$modsec_audit_log_type = 'Serial'
# no client certs should be trusted for auth by default.
$ssl_certs_dir = undef
# Allow overriding the autoindex alias location
$icons_prefix = 'icons'
if ($apache::version::scl_httpd_version) {
if $apache::version::scl_php_version == undef {
fail('If you define apache::version::scl_httpd_version, you also need to specify apache::version::scl_php_version')
}
$_scl_httpd_version_nodot = regsubst($apache::version::scl_httpd_version, '\.', '')
$_scl_httpd_name = "httpd${_scl_httpd_version_nodot}"
$_scl_php_version_no_dot = regsubst($apache::version::scl_php_version, '\.', '')
$user = 'apache'
$group = 'apache'
$root_group = 'root'
$apache_name = "${_scl_httpd_name}-httpd"
$service_name = "${_scl_httpd_name}-httpd"
$httpd_root = "/opt/rh/${_scl_httpd_name}/root"
$httpd_dir = "${httpd_root}/etc/httpd"
$server_root = "${httpd_root}/etc/httpd"
$conf_dir = "${httpd_dir}/conf"
$confd_dir = "${httpd_dir}/conf.d"
- $mod_dir = $apache::version::distrelease ? {
+ $mod_dir = $facts['operatingsystemmajrelease'] ? {
'7' => "${httpd_dir}/conf.modules.d",
default => "${httpd_dir}/conf.d",
}
$mod_enable_dir = undef
$vhost_dir = "${httpd_dir}/conf.d"
$vhost_enable_dir = undef
$conf_file = 'httpd.conf'
$conf_enabled = undef
$ports_file = "${conf_dir}/ports.conf"
$pidfile = 'run/httpd.pid'
$logroot = "/var/log/${_scl_httpd_name}"
$logroot_mode = undef
$lib_path = 'modules'
$mpm_module = 'prefork'
$dev_packages = "${_scl_httpd_name}-httpd-devel"
$default_ssl_cert = '/etc/pki/tls/certs/localhost.crt'
$default_ssl_key = '/etc/pki/tls/private/localhost.key'
$ssl_sessioncache = '/var/cache/mod_ssl/scache(512000)'
$passenger_conf_file = 'passenger_extra.conf'
$passenger_conf_package_file = 'passenger.conf'
$passenger_root = undef
$passenger_ruby = undef
$passenger_default_ruby = undef
$suphp_addhandler = 'php5-script'
$suphp_engine = 'off'
$suphp_configpath = undef
$php_version = $apache::version::scl_php_version
$mod_packages = {
'authnz_ldap' => "${_scl_httpd_name}-mod_ldap",
'ldap' => "${_scl_httpd_name}-mod_ldap",
"php${apache::version::scl_php_version}" => "rh-php${_scl_php_version_no_dot}-php",
'ssl' => "${_scl_httpd_name}-mod_ssl",
}
$mod_libs = {
'nss' => 'libmodnss.so',
}
$conf_template = 'apache/httpd.conf.erb'
$http_protocol_options = undef
$keepalive = 'On'
$keepalive_timeout = 15
$max_keepalive_requests = 100
$fastcgi_lib_path = undef
$mime_support_package = 'mailcap'
$mime_types_config = '/etc/mime.types'
$docroot = "${httpd_root}/var/www/html"
- $alias_icons_path = $apache::version::distrelease ? {
+ $alias_icons_path = $facts['operatingsystemmajrelease'] ? {
'7' => "${httpd_root}/usr/share/httpd/icons",
default => '/var/www/icons',
}
- $error_documents_path = $apache::version::distrelease ? {
+ $error_documents_path = $facts['operatingsystemmajrelease'] ? {
'7' => "${httpd_root}/usr/share/httpd/error",
default => '/var/www/error'
}
if $::osfamily == 'RedHat' {
$wsgi_socket_prefix = '/var/run/wsgi'
} else {
$wsgi_socket_prefix = undef
}
$cas_cookie_path = '/var/cache/mod_auth_cas/'
$mellon_lock_file = '/run/mod_auth_mellon/lock'
$mellon_cache_size = 100
$mellon_post_directory = undef
$modsec_version = 1
$modsec_crs_package = 'mod_security_crs'
$modsec_crs_path = '/usr/lib/modsecurity.d'
$modsec_dir = '/etc/httpd/modsecurity.d'
$secpcrematchlimit = 1500
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
$error_log = 'error_log'
$scriptalias = "${httpd_root}/var/www/cgi-bin"
$access_log_file = 'access_log'
}
elsif $::osfamily == 'RedHat' or $::operatingsystem =~ /^[Aa]mazon$/ {
$user = 'apache'
$group = 'apache'
$root_group = 'root'
$apache_name = 'httpd'
$service_name = 'httpd'
$httpd_dir = '/etc/httpd'
$server_root = '/etc/httpd'
$conf_dir = "${httpd_dir}/conf"
$confd_dir = "${httpd_dir}/conf.d"
$conf_enabled = undef
if $::operatingsystem =~ /^[Aa]mazon$/ and $::operatingsystemmajrelease == '2' {
# Amazon Linux 2 uses the /conf.modules.d/ dir
$mod_dir = "${httpd_dir}/conf.modules.d"
} else {
- $mod_dir = $apache::version::distrelease ? {
+ $mod_dir = $facts['operatingsystemmajrelease'] ? {
'7' => "${httpd_dir}/conf.modules.d",
'8' => "${httpd_dir}/conf.modules.d",
default => "${httpd_dir}/conf.d",
}
}
$mod_enable_dir = undef
$vhost_dir = "${httpd_dir}/conf.d"
$vhost_enable_dir = undef
$conf_file = 'httpd.conf'
$ports_file = "${conf_dir}/ports.conf"
$pidfile = 'run/httpd.pid'
$logroot = '/var/log/httpd'
$logroot_mode = undef
$lib_path = 'modules'
$mpm_module = 'prefork'
$dev_packages = 'httpd-devel'
$default_ssl_cert = '/etc/pki/tls/certs/localhost.crt'
$default_ssl_key = '/etc/pki/tls/private/localhost.key'
$ssl_sessioncache = '/var/cache/mod_ssl/scache(512000)'
$passenger_conf_file = 'passenger_extra.conf'
$passenger_conf_package_file = 'passenger.conf'
$passenger_root = undef
$passenger_ruby = undef
$passenger_default_ruby = undef
$suphp_addhandler = 'php5-script'
$suphp_engine = 'off'
$suphp_configpath = undef
- $php_version = $apache::version::distrelease ? {
+ $php_version = $facts['operatingsystemmajrelease'] ? {
'8' => '7', # RedHat8
default => '5', # RedHat5, RedHat6, RedHat7
}
$mod_packages = {
# NOTE: The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL.
'auth_cas' => 'mod_auth_cas',
'auth_kerb' => 'mod_auth_kerb',
'auth_gssapi' => 'mod_auth_gssapi',
'auth_mellon' => 'mod_auth_mellon',
'auth_openidc' => 'mod_auth_openidc',
- 'authnz_ldap' => $apache::version::distrelease ? {
+ 'authnz_ldap' => $facts['operatingsystemmajrelease'] ? {
'7' => 'mod_ldap',
'8' => 'mod_ldap',
default => 'mod_authz_ldap',
},
'authnz_pam' => 'mod_authnz_pam',
- 'fastcgi' => $apache::version::distrelease ? {
+ 'fastcgi' => $facts['operatingsystemmajrelease'] ? {
'5' => 'mod_fastcgi',
'6' => 'mod_fastcgi',
default => undef,
},
'fcgid' => 'mod_fcgid',
'geoip' => 'mod_geoip',
'intercept_form_submit' => 'mod_intercept_form_submit',
- 'ldap' => $apache::version::distrelease ? {
+ 'ldap' => $facts['operatingsystemmajrelease'] ? {
'5' => undef,
'6' => undef,
default => 'mod_ldap',
},
'lookup_identity' => 'mod_lookup_identity',
'md' => 'mod_md',
'pagespeed' => 'mod-pagespeed-stable',
# NOTE: The passenger module isn't available on RH/CentOS without
# providing dependency packages provided by EPEL and passenger
# repositories. See
# https://www.phusionpassenger.com/library/install/apache/install/oss/el7/
'passenger' => 'mod_passenger',
'perl' => 'mod_perl',
- 'php5' => $apache::version::distrelease ? {
+ 'php5' => $facts['operatingsystemmajrelease'] ? {
'5' => 'php53',
default => 'php',
},
'phpXXX' => 'php',
'proxy_html' => 'mod_proxy_html',
'python' => 'mod_python',
'security' => 'mod_security',
# NOTE: The module for Shibboleth is not available on RH/CentOS without
# providing dependency packages provided by Shibboleth's repositories.
# See http://wiki.aaf.edu.au/tech-info/sp-install-guide
'shibboleth' => 'shibboleth',
'ssl' => 'mod_ssl',
- 'wsgi' => $apache::version::distrelease ? {
+ 'wsgi' => $facts['operatingsystemmajrelease'] ? {
'8' => 'python3-mod_wsgi', # RedHat8
default => 'mod_wsgi', # RedHat5, RedHat6, RedHat7
},
'dav_svn' => 'mod_dav_svn',
'suphp' => 'mod_suphp',
'xsendfile' => 'mod_xsendfile',
'nss' => 'mod_nss',
'shib2' => 'shibboleth',
}
$mod_libs = {
'nss' => 'libmodnss.so',
- 'wsgi' => $apache::version::distrelease ? {
+ 'wsgi' => $facts['operatingsystemmajrelease'] ? {
'8' => 'mod_wsgi_python3.so',
default => 'mod_wsgi.so',
},
}
$conf_template = 'apache/httpd.conf.erb'
$http_protocol_options = undef
$keepalive = 'On'
$keepalive_timeout = 15
$max_keepalive_requests = 100
$fastcgi_lib_path = undef
$mime_support_package = 'mailcap'
$mime_types_config = '/etc/mime.types'
$docroot = '/var/www/html'
- $alias_icons_path = $apache::version::distrelease ? {
+ $alias_icons_path = $facts['operatingsystemmajrelease'] ? {
'7' => '/usr/share/httpd/icons',
'8' => '/usr/share/httpd/icons',
default => '/var/www/icons',
}
- $error_documents_path = $apache::version::distrelease ? {
+ $error_documents_path = $facts['operatingsystemmajrelease'] ? {
'7' => '/usr/share/httpd/error',
'8' => '/usr/share/httpd/error',
default => '/var/www/error'
}
if $::osfamily == 'RedHat' {
$wsgi_socket_prefix = '/var/run/wsgi'
} else {
$wsgi_socket_prefix = undef
}
$cas_cookie_path = '/var/cache/mod_auth_cas/'
$mellon_lock_file = '/run/mod_auth_mellon/lock'
$mellon_cache_size = 100
$mellon_post_directory = undef
$modsec_version = 1
$modsec_crs_package = 'mod_security_crs'
$modsec_crs_path = '/usr/lib/modsecurity.d'
$modsec_dir = '/etc/httpd/modsecurity.d'
$secpcrematchlimit = 1500
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
$error_log = 'error_log'
$scriptalias = '/var/www/cgi-bin'
$access_log_file = 'access_log'
} elsif $::osfamily == 'Debian' {
$user = 'www-data'
$group = 'www-data'
$root_group = 'root'
$apache_name = 'apache2'
$service_name = 'apache2'
$httpd_dir = '/etc/apache2'
$server_root = '/etc/apache2'
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/conf.d"
# Overwrite conf_enabled causes errors with Shibboleth when enabled on Ubuntu 18.04
$conf_enabled = undef #"${httpd_dir}/conf-enabled.d"
$mod_dir = "${httpd_dir}/mods-available"
$mod_enable_dir = "${httpd_dir}/mods-enabled"
$vhost_dir = "${httpd_dir}/sites-available"
$vhost_enable_dir = "${httpd_dir}/sites-enabled"
$conf_file = 'apache2.conf'
$ports_file = "${conf_dir}/ports.conf"
$pidfile = "\${APACHE_PID_FILE}"
$logroot = '/var/log/apache2'
$logroot_mode = undef
$lib_path = '/usr/lib/apache2/modules'
$mpm_module = 'worker'
$default_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
$default_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key'
$ssl_sessioncache = "\${APACHE_RUN_DIR}/ssl_scache(512000)"
$suphp_addhandler = 'x-httpd-php'
$suphp_engine = 'off'
$suphp_configpath = '/etc/php5/apache2'
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '16.04') < 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') < 0) {
# Only the major version is used here
$php_version = '5'
$mod_packages = {
'auth_cas' => 'libapache2-mod-auth-cas',
'auth_kerb' => 'libapache2-mod-auth-kerb',
'auth_openidc' => 'libapache2-mod-auth-openidc',
'auth_gssapi' => 'libapache2-mod-auth-gssapi',
'auth_mellon' => 'libapache2-mod-auth-mellon',
'authnz_pam' => 'libapache2-mod-authnz-pam',
'dav_svn' => 'libapache2-svn',
'fastcgi' => 'libapache2-mod-fastcgi',
'fcgid' => 'libapache2-mod-fcgid',
'geoip' => 'libapache2-mod-geoip',
'intercept_form_submit' => 'libapache2-mod-intercept-form-submit',
'jk' => 'libapache2-mod-jk',
'lookup_identity' => 'libapache2-mod-lookup-identity',
'nss' => 'libapache2-mod-nss',
'pagespeed' => 'mod-pagespeed-stable',
'passenger' => 'libapache2-mod-passenger',
'perl' => 'libapache2-mod-perl2',
'phpXXX' => 'libapache2-mod-phpXXX',
'proxy_html' => 'libapache2-mod-proxy-html',
'python' => 'libapache2-mod-python',
'rpaf' => 'libapache2-mod-rpaf',
'security' => 'libapache2-modsecurity',
'shib2' => 'libapache2-mod-shib2',
'suphp' => 'libapache2-mod-suphp',
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
}
} else {
$php_version = $facts['operatingsystemmajrelease'] ? {
'9' => '7.0', # Debian Stretch
'16.04' => '7.0', # Ubuntu Xenial
'10' => '7.3', # Debian Buster
'20.04' => '7.4', # Ubuntu Foccal Fossal
default => '7.2', # Ubuntu Bionic, Cosmic and Disco
}
$mod_packages = {
'apreq2' => 'libapache2-mod-apreq2',
'auth_cas' => 'libapache2-mod-auth-cas',
'auth_kerb' => 'libapache2-mod-auth-kerb',
'auth_openidc' => 'libapache2-mod-auth-openidc',
'auth_gssapi' => 'libapache2-mod-auth-gssapi',
'auth_mellon' => 'libapache2-mod-auth-mellon',
'authnz_pam' => 'libapache2-mod-authnz-pam',
'dav_svn' => 'libapache2-mod-svn',
'fastcgi' => 'libapache2-mod-fastcgi',
'fcgid' => 'libapache2-mod-fcgid',
'geoip' => 'libapache2-mod-geoip',
'intercept_form_submit' => 'libapache2-mod-intercept-form-submit',
'jk' => 'libapache2-mod-jk',
'lookup_identity' => 'libapache2-mod-lookup-identity',
'nss' => 'libapache2-mod-nss',
'pagespeed' => 'mod-pagespeed-stable',
'passenger' => 'libapache2-mod-passenger',
'perl' => 'libapache2-mod-perl2',
'phpXXX' => 'libapache2-mod-phpXXX',
'python' => 'libapache2-mod-python',
'rpaf' => 'libapache2-mod-rpaf',
'security' => 'libapache2-mod-security2',
'shib2' => 'libapache2-mod-shib2',
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
}
}
$error_log = 'error.log'
$scriptalias = '/usr/lib/cgi-bin'
$access_log_file = 'access.log'
if $::osfamily == 'Debian' and versioncmp($::operatingsystemrelease, '8') < 0 {
$shib2_lib = 'mod_shib_22.so'
} elsif ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '19.04') < 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '10') < 0) {
$shib2_lib = 'mod_shib2.so'
} else {
$shib2_lib = 'mod_shib.so'
}
$mod_libs = {
'shib2' => $shib2_lib,
}
$conf_template = 'apache/httpd.conf.erb'
$http_protocol_options = undef
$keepalive = 'On'
$keepalive_timeout = 15
$max_keepalive_requests = 100
$fastcgi_lib_path = '/var/lib/apache2/fastcgi'
$mime_support_package = 'mime-support'
$mime_types_config = '/etc/mime.types'
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) {
$docroot = '/var/www/html'
} else {
$docroot = '/var/www'
}
$cas_cookie_path = '/var/cache/apache2/mod_auth_cas/'
$mellon_lock_file = undef
$mellon_cache_size = undef
$mellon_post_directory = '/var/cache/apache2/mod_auth_mellon/'
$modsec_version = 1
$modsec_crs_package = 'modsecurity-crs'
$modsec_crs_path = '/usr/share/modsecurity-crs'
$modsec_dir = '/etc/modsecurity'
$secpcrematchlimit = 1500
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
if ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) or ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) {
$modsec_default_rules = [
'crawlers-user-agents.data',
'iis-errors.data',
'java-code-leakages.data',
'java-errors.data',
'lfi-os-files.data',
'php-config-directives.data',
'php-errors.data',
'php-function-names-933150.data',
'php-function-names-933151.data',
'php-variables.data',
'restricted-files.data',
'scanners-headers.data',
'scanners-urls.data',
'scanners-user-agents.data',
'scripting-user-agents.data',
'sql-errors.data',
'sql-function-names.data',
'unix-shell.data',
'windows-powershell-commands.data',
]
} else {
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
}
$alias_icons_path = '/usr/share/apache2/icons'
$error_documents_path = '/usr/share/apache2/error'
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) {
$dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-dev']
} else {
$dev_packages = ['libaprutil1-dev', 'libapr1-dev', 'apache2-prefork-dev']
}
#
# Passenger-specific settings
#
$passenger_conf_file = 'passenger.conf'
$passenger_conf_package_file = undef
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '14.04') < 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') < 0) {
$passenger_root = '/usr'
$passenger_ruby = '/usr/bin/ruby'
$passenger_default_ruby = undef
} else {
$passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
$passenger_ruby = undef
$passenger_default_ruby = '/usr/bin/ruby'
}
$wsgi_socket_prefix = undef
} elsif $::osfamily == 'FreeBSD' {
$user = 'www'
$group = 'www'
$root_group = 'wheel'
$apache_name = 'apache24'
$service_name = 'apache24'
$httpd_dir = '/usr/local/etc/apache24'
$server_root = '/usr/local'
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/Includes"
$conf_enabled = undef
$mod_dir = "${httpd_dir}/Modules"
$mod_enable_dir = undef
$vhost_dir = "${httpd_dir}/Vhosts"
$vhost_enable_dir = undef
$conf_file = 'httpd.conf'
$ports_file = "${conf_dir}/ports.conf"
$pidfile = '/var/run/httpd.pid'
$logroot = '/var/log/apache24'
$logroot_mode = undef
$lib_path = '/usr/local/libexec/apache24'
$mpm_module = 'prefork'
$dev_packages = undef
$default_ssl_cert = '/usr/local/etc/apache24/server.crt'
$default_ssl_key = '/usr/local/etc/apache24/server.key'
$ssl_sessioncache = '/var/run/ssl_scache(512000)'
$passenger_conf_file = 'passenger.conf'
$passenger_conf_package_file = undef
$passenger_root = '/usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58'
$passenger_ruby = '/usr/local/bin/ruby'
$passenger_default_ruby = undef
$suphp_addhandler = 'php5-script'
$suphp_engine = 'off'
$suphp_configpath = undef
$php_version = '5'
$mod_packages = {
# NOTE: I list here only modules that are not included in www/apache24
# NOTE: 'passenger' needs to enable APACHE_SUPPORT in make config
# NOTE: 'php' needs to enable APACHE option in make config
# NOTE: 'dav_svn' needs to enable MOD_DAV_SVN make config
# NOTE: not sure where the shibboleth should come from
'auth_kerb' => 'www/mod_auth_kerb2',
'auth_gssapi' => 'www/mod_auth_gssapi',
'auth_openidc'=> 'www/mod_auth_openidc',
'fcgid' => 'www/mod_fcgid',
'passenger' => 'www/rubygem-passenger',
'perl' => 'www/mod_perl2',
'phpXXX' => 'www/mod_phpXXX',
'proxy_html' => 'www/mod_proxy_html',
'python' => 'www/mod_python3',
'wsgi' => 'www/mod_wsgi',
'dav_svn' => 'devel/subversion',
'xsendfile' => 'www/mod_xsendfile',
'rpaf' => 'www/mod_rpaf2',
'shib2' => 'security/shibboleth2-sp',
}
$mod_libs = {
}
$conf_template = 'apache/httpd.conf.erb'
$http_protocol_options = undef
$keepalive = 'On'
$keepalive_timeout = 15
$max_keepalive_requests = 100
$fastcgi_lib_path = undef # TODO: revisit
$mime_support_package = 'misc/mime-support'
$mime_types_config = '/usr/local/etc/mime.types'
$wsgi_socket_prefix = undef
$docroot = '/usr/local/www/apache24/data'
$alias_icons_path = '/usr/local/www/apache24/icons'
$error_documents_path = '/usr/local/www/apache24/error'
$error_log = 'httpd-error.log'
$scriptalias = '/usr/local/www/apache24/cgi-bin'
$access_log_file = 'httpd-access.log'
} elsif $::osfamily == 'Gentoo' {
$user = 'apache'
$group = 'apache'
$root_group = 'wheel'
$apache_name = 'www-servers/apache'
$service_name = 'apache2'
$httpd_dir = '/etc/apache2'
$server_root = '/var/www'
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/conf.d"
$conf_enabled = undef
$mod_dir = "${httpd_dir}/modules.d"
$mod_enable_dir = undef
$vhost_dir = "${httpd_dir}/vhosts.d"
$vhost_enable_dir = undef
$conf_file = 'httpd.conf'
$ports_file = "${conf_dir}/ports.conf"
$logroot = '/var/log/apache2'
$logroot_mode = undef
$lib_path = '/usr/lib/apache2/modules'
$mpm_module = 'prefork'
$dev_packages = undef
$default_ssl_cert = '/etc/ssl/apache2/server.crt'
$default_ssl_key = '/etc/ssl/apache2/server.key'
$ssl_sessioncache = '/var/run/ssl_scache(512000)'
$passenger_root = '/usr'
$passenger_ruby = '/usr/bin/ruby'
$passenger_conf_file = 'passenger.conf'
$passenger_conf_package_file = undef
$passenger_default_ruby = undef
$suphp_addhandler = 'x-httpd-php'
$suphp_engine = 'off'
$suphp_configpath = '/etc/php5/apache2'
$php_version = '5'
$mod_packages = {
# NOTE: I list here only modules that are not included in www-servers/apache
'auth_kerb' => 'www-apache/mod_auth_kerb',
'auth_gssapi' => 'www-apache/mod_auth_gssapi',
'authnz_external' => 'www-apache/mod_authnz_external',
'fcgid' => 'www-apache/mod_fcgid',
'passenger' => 'www-apache/passenger',
'perl' => 'www-apache/mod_perl',
'phpXXX' => 'dev-lang/php',
'proxy_html' => 'www-apache/mod_proxy_html',
'proxy_fcgi' => 'www-apache/mod_proxy_fcgi',
'python' => 'www-apache/mod_python',
'wsgi' => 'www-apache/mod_wsgi',
'dav_svn' => 'dev-vcs/subversion',
'xsendfile' => 'www-apache/mod_xsendfile',
'rpaf' => 'www-apache/mod_rpaf',
'xml2enc' => 'www-apache/mod_xml2enc',
}
$mod_libs = {
}
$conf_template = 'apache/httpd.conf.erb'
$http_protocol_options = undef
$keepalive = 'On'
$keepalive_timeout = 15
$max_keepalive_requests = 100
$fastcgi_lib_path = undef # TODO: revisit
$mime_support_package = 'app-misc/mime-types'
$mime_types_config = '/etc/mime.types'
$wsgi_socket_prefix = undef
$docroot = '/var/www/localhost/htdocs'
$alias_icons_path = '/usr/share/apache2/icons'
$error_documents_path = '/usr/share/apache2/error'
$pidfile = '/var/run/apache2.pid'
$error_log = 'error.log'
$scriptalias = '/var/www/localhost/cgi-bin'
$access_log_file = 'access.log'
} elsif $::osfamily == 'Suse' {
$user = 'wwwrun'
$group = 'www'
$root_group = 'root'
$apache_name = 'apache2'
$service_name = 'apache2'
$httpd_dir = '/etc/apache2'
$server_root = '/etc/apache2'
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/conf.d"
$conf_enabled = undef
$mod_dir = "${httpd_dir}/mods-available"
$mod_enable_dir = "${httpd_dir}/mods-enabled"
$vhost_dir = "${httpd_dir}/sites-available"
$vhost_enable_dir = "${httpd_dir}/sites-enabled"
$conf_file = 'httpd.conf'
$ports_file = "${conf_dir}/ports.conf"
$pidfile = '/var/run/httpd2.pid'
$logroot = '/var/log/apache2'
$logroot_mode = undef
$lib_path = '/usr/lib64/apache2' #changes for some modules based on mpm
$mpm_module = 'prefork'
if versioncmp($::operatingsystemrelease, '15') < 0 {
$default_ssl_cert = '/etc/apache2/ssl.crt/server.crt'
$default_ssl_key = '/etc/apache2/ssl.key/server.key'
} else {
$default_ssl_cert = '/etc/apache2/ssl.crt/default-server.crt'
$default_ssl_key = '/etc/apache2/ssl.key/default-server.key'
}
$ssl_sessioncache = '/var/lib/apache2/ssl_scache(512000)'
$suphp_addhandler = 'x-httpd-php'
$suphp_engine = 'off'
$suphp_configpath = '/etc/php5/apache2'
$php_version = '5'
if versioncmp($::operatingsystemrelease, '11') < 0 or versioncmp($::operatingsystemrelease, '12') >= 0 {
$mod_packages = {
'auth_kerb' => 'apache2-mod_auth_kerb',
'auth_gssapi' => 'apache2-mod_auth_gssapi',
'dav_svn' => 'subversion-server',
'perl' => 'apache2-mod_perl',
'php5' => 'apache2-mod_php5',
'python' => 'apache2-mod_python',
'security' => 'apache2-mod_security2',
'worker' => 'apache2-worker',
}
} else {
$mod_packages = {
'auth_kerb' => 'apache2-mod_auth_kerb',
'auth_gssapi' => 'apache2-mod_auth_gssapi',
'dav_svn' => 'subversion-server',
'perl' => 'apache2-mod_perl',
'php5' => 'apache2-mod_php53',
'python' => 'apache2-mod_python',
'security' => 'apache2-mod_security2',
}
}
$mod_libs = {
'security' => '/usr/lib64/apache2/mod_security2.so',
'php53' => '/usr/lib64/apache2/mod_php5.so',
}
$conf_template = 'apache/httpd.conf.erb'
$http_protocol_options = undef
$keepalive = 'On'
$keepalive_timeout = 15
$max_keepalive_requests = 100
$fastcgi_lib_path = '/var/lib/apache2/fastcgi'
$mime_support_package = 'aaa_base'
$mime_types_config = '/etc/mime.types'
$docroot = '/srv/www'
$cas_cookie_path = '/var/cache/apache2/mod_auth_cas/'
$mellon_lock_file = undef
$mellon_cache_size = undef
$mellon_post_directory = undef
$alias_icons_path = '/usr/share/apache2/icons'
$error_documents_path = '/usr/share/apache2/error'
$dev_packages = ['libapr-util1-devel', 'libapr1-devel', 'libcurl-devel']
$modsec_version = 1
$modsec_crs_package = undef
$modsec_crs_path = undef
$modsec_default_rules = undef
$modsec_dir = '/etc/apache2/modsecurity'
$secpcrematchlimit = 1500
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
$error_log = 'error.log'
$scriptalias = '/usr/lib/cgi-bin'
$access_log_file = 'access.log'
#
# Passenger-specific settings
#
$passenger_conf_file = 'passenger.conf'
$passenger_conf_package_file = undef
$passenger_root = '/usr/lib64/ruby/gems/1.8/gems/passenger-5.0.30'
$passenger_ruby = '/usr/bin/ruby'
$passenger_default_ruby = '/usr/bin/ruby'
$wsgi_socket_prefix = undef
} else {
fail("Class['apache::params']: Unsupported osfamily: ${::osfamily}")
}
if ($::operatingsystem == 'Ubuntu' and $::lsbdistrelease == '10.04') or ($::operatingsystem == 'SLES') {
$verify_command = '/usr/sbin/apache2ctl -t'
} elsif $::operatingsystem == 'FreeBSD' {
$verify_command = '/usr/local/sbin/apachectl -t'
} elsif ($apache::version::scl_httpd_version) {
$verify_command = "/opt/rh/${_scl_httpd_name}/root/usr/sbin/apachectl -t"
} else {
$verify_command = '/usr/sbin/apachectl -t'
}
- if $::osfamily == 'RedHat' and versioncmp($::operatingsystemrelease, '8.0') >= 0 {
+ if $::osfamily == 'RedHat' and versioncmp($facts['operatingsystemmajrelease'], '8') >= 0 {
$ssl_protocol = ['all'] # Implementations of the SSLv2 and SSLv3 protocol versions have been removed from OpenSSL (and hence mod_ssl) because these are no longer considered secure. For additional documentation https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/setting-apache-web-server_deploying-different-types-of-servers
} else {
$ssl_protocol = ['all', '-SSLv2', '-SSLv3']
}
}
diff --git a/manifests/version.pp b/manifests/version.pp
index 36e2a040..7ebd591c 100644
--- a/manifests/version.pp
+++ b/manifests/version.pp
@@ -1,55 +1,48 @@
# @summary
# Try to automatically detect the version by OS
#
# @api private
class apache::version (
Optional[String] $scl_httpd_version = undef,
Optional[String] $scl_php_version = undef,
) {
- # This will be 5 or 6 on RedHat, 6 or wheezy on Debian, 12 or quantal on Ubuntu, etc.
- $osr_array = split($::operatingsystemrelease,'[\/\.]')
- $distrelease = $osr_array[0]
- if ! $distrelease {
- fail("Class['apache::version']: Unparsable \$::operatingsystemrelease: ${::operatingsystemrelease}")
- }
-
case $::osfamily {
'RedHat': {
if $scl_httpd_version {
$default = $scl_httpd_version
}
elsif ($::operatingsystem == 'Amazon') {
$default = '2.2'
- } elsif ($::operatingsystem == 'Fedora' and versioncmp($distrelease, '18') >= 0) or ($::operatingsystem != 'Fedora' and versioncmp($distrelease, '7') >= 0) {
+ } elsif ($::operatingsystem == 'Fedora' and versioncmp($facts['operatingsystemmajrelease'], '18') >= 0) or ($::operatingsystem != 'Fedora' and versioncmp($facts['operatingsystemmajrelease'], '7') >= 0) {
$default = '2.4'
} else {
$default = '2.2'
}
}
'Debian': {
- if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0 {
+ if $::operatingsystem == 'Ubuntu' and versioncmp($facts['operatingsystemmajrelease'], '13.10') >= 0 {
$default = '2.4'
- } elsif $::operatingsystem == 'Debian' and versioncmp($distrelease, '8') >= 0 {
+ } elsif $::operatingsystem == 'Debian' and versioncmp($facts['operatingsystemmajrelease'], '8') >= 0 {
$default = '2.4'
} else {
$default = '2.2'
}
}
'FreeBSD': {
$default = '2.4'
}
'Gentoo': {
$default = '2.4'
}
'Suse': {
- if ($::operatingsystem == 'SLES' and versioncmp($::operatingsystemrelease, '12') >= 0) or ($::operatingsystem == 'OpenSuSE' and versioncmp($::operatingsystemrelease, '42') >= 0) {
+ if ($::operatingsystem == 'SLES' and versioncmp($facts['operatingsystemmajrelease'], '12') >= 0) or ($::operatingsystem == 'OpenSuSE' and versioncmp($facts['operatingsystemmajrelease'], '42') >= 0) {
$default = '2.4'
} else {
$default = '2.2'
}
}
default: {
fail("Class['apache::version']: Unsupported osfamily: ${::osfamily}")
}
}
}
diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb
index b380956a..b5031e3e 100644
--- a/spec/spec_helper_local.rb
+++ b/spec/spec_helper_local.rb
@@ -1,175 +1,180 @@
# frozen_string_literal: true
if ENV['COVERAGE'] == 'yes'
require 'simplecov'
require 'simplecov-console'
require 'codecov'
SimpleCov.formatters = [
SimpleCov::Formatter::HTMLFormatter,
SimpleCov::Formatter::Console,
SimpleCov::Formatter::Codecov,
]
SimpleCov.start do
track_files 'lib/**/*.rb'
add_filter '/spec'
# do not track vendored files
add_filter '/vendor'
add_filter '/.vendor'
# do not track gitignored files
# this adds about 4 seconds to the coverage check
# this could definitely be optimized
add_filter do |f|
# system returns true if exit status is 0, which with git-check-ignore means file is ignored
system("git check-ignore --quiet #{f.filename}")
end
end
end
shared_examples :compile, compile: true do
it { is_expected.to compile.with_all_deps }
end
shared_context 'a mod class, without including apache' do
let(:facts) { on_supported_os['debian-8-x86_64'] }
end
shared_context 'Debian 8' do
let(:facts) { on_supported_os['debian-8-x86_64'] }
end
shared_context 'Ubuntu 18.04' do
let(:facts) { on_supported_os['ubuntu-18.04-x86_64'] }
end
shared_context 'RedHat 6' do
let(:facts) { on_supported_os['redhat-6-x86_64'] }
end
shared_context 'RedHat 7' do
let(:facts) { on_supported_os['redhat-7-x86_64'] }
end
shared_context 'RedHat 8' do
let(:facts) { on_supported_os['redhat-8-x86_64'] }
end
shared_context 'Fedora 17' do
let :facts do
{
id: 'root',
kernel: 'Linux',
osfamily: 'RedHat',
operatingsystem: 'Fedora',
operatingsystemrelease: '17',
+ operatingsystemmajrelease: '17',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'Fedora 21' do
let :facts do
{
id: 'root',
kernel: 'Linux',
osfamily: 'RedHat',
operatingsystem: 'Fedora',
operatingsystemrelease: '21',
+ operatingsystemmajrelease: '21',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'Fedora 28' do
let :facts do
{
id: 'root',
kernel: 'Linux',
osfamily: 'RedHat',
operatingsystem: 'Fedora',
operatingsystemrelease: '28',
+ operatingsystemmajrelease: '28',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'Fedora Rawhide' do
let :facts do
{
id: 'root',
kernel: 'Linux',
osfamily: 'RedHat',
operatingsystem: 'Fedora',
operatingsystemrelease: 'Rawhide',
+ operatingsystemmajrelease: 'Rawhide',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'FreeBSD 9' do
let :facts do
{
osfamily: 'FreeBSD',
operatingsystemrelease: '9',
operatingsystem: 'FreeBSD',
id: 'root',
kernel: 'FreeBSD',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'FreeBSD 10' do
let :facts do
{
id: 'root',
kernel: 'FreeBSD',
osfamily: 'FreeBSD',
operatingsystem: 'FreeBSD',
operatingsystemrelease: '10',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'Gentoo' do
let :facts do
{
id: 'root',
kernel: 'Linux',
osfamily: 'Gentoo',
operatingsystem: 'Gentoo',
- operatingsystemrelease: '3.16.1-gentoo',
+ operatingsystemrelease: '2.7',
+ operatingsystemmajrelease: '2.7',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin',
}
end
end
shared_context 'Darwin' do
let :facts do
{
osfamily: 'Darwin',
operatingsystemrelease: '13.1.0',
}
end
end
shared_context 'Unsupported OS' do
let :facts do
{
osfamily: 'Magic',
operatingsystemrelease: '0',
operatingsystem: 'Magic',
id: 'root',
kernel: 'Linux',
path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
end
end
shared_context 'SLES 12' do
let(:facts) { on_supported_os['sles-12-x86_64'] }
end