diff --git a/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl b/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl new file mode 100644 index 00000000..997e1fd4 --- /dev/null +++ b/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl @@ -0,0 +1,12 @@ +# known_vhost_determine_forbidden_access.vcl +# +# Now that we passed along all vhosts declared, we should be able to determine +# if the access to such query should be forbidden or not +# +# File managed by puppet. All modifications will be lost. + +sub vcl_recv { + if (var.get("known-vhost") != "yes") { + return(synth(403, "Forbidden access to unknown vhost " + req.http.host)); + } +} diff --git a/site-modules/profile/manifests/varnish.pp b/site-modules/profile/manifests/varnish.pp index da2cb2f4..adf0d5b7 100644 --- a/site-modules/profile/manifests/varnish.pp +++ b/site-modules/profile/manifests/varnish.pp @@ -1,83 +1,97 @@ # Varnish configuration class profile::varnish { $includes_dir = '/etc/varnish/includes' $includes_vcl_name = 'includes.vcl' $includes_vcl = "/etc/varnish/${includes_vcl_name}" $http_port = lookup('varnish::http_port') $backend_http_port = lookup('varnish::backend_http_port') $listen = lookup('varnish::listen') $admin_listen = lookup('varnish::admin_listen') $admin_port = lookup('varnish::admin_port') $http2_support = lookup('varnish::http2_support') $secret = lookup('varnish::secret') $storage_type = lookup('varnish::storage_type') $storage_size = lookup('varnish::storage_size') $storage_file = lookup('varnish::storage_file') if $http2_support { $runtime_params = { feature => '+http2', } } else { $runtime_params = {} } if $::lsbdistcodename == 'stretch' { $extra_class_params = {} } else { $extra_class_params = { vcl_reload_cmd => '/usr/share/varnish/varnishreload', } } + $extra_packages = ["varnish-modules"]; + package {$extra_packages: + ensure => installed, + } + class {'::varnish': addrepo => false, listen => $listen, admin_listen => $admin_listen, admin_port => $admin_port, secret => $secret, storage_type => $storage_type, storage_size => $storage_size, storage_file => $storage_file, runtime_params => $runtime_params, * => $extra_class_params, } ::varnish::vcl {'/etc/varnish/default.vcl': content => template('profile/varnish/default.vcl.erb'), - require => Concat[$includes_vcl], + require => [ + Concat[$includes_vcl], + Package[$extra_packages], + ], } file {$includes_dir: ensure => directory, owner => 'root', group => 'root', mode => '0644', require => Class['varnish::install'], notify => Exec['vcl_reload'], } concat {$includes_vcl: ensure => present, owner => 'root', group => 'root', mode => '0644', ensure_newline => true, require => Class['varnish::install'], notify => Exec['vcl_reload'], } concat::fragment {"${includes_vcl}:header": target => $includes_vcl, content => "# File managed with puppet (module profile::varnish)\n# All modifications will be lost\n\n", order => '00', } ::profile::varnish::vcl_include {'synth_redirect': order => '10', content => file('profile/varnish/synth_redirect.vcl'), } + + ::profile::varnish::vcl_include {'unknown_vhost_then_forbidden_access': + order => '99', + content => file('profile/varnish/unknown_vhost_then_forbidden_access.vcl'), + } + } diff --git a/site-modules/profile/templates/varnish/default.vcl.erb b/site-modules/profile/templates/varnish/default.vcl.erb index 4d8aad62..5de5c1a1 100644 --- a/site-modules/profile/templates/varnish/default.vcl.erb +++ b/site-modules/profile/templates/varnish/default.vcl.erb @@ -1,9 +1,10 @@ # Varnish configuration file # File managed by puppet (module profile::varnish) # All modifications will be lost. vcl 4.0; import std; +import var; include "<%= @includes_vcl_name %>"; diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb index 73370978..9bfd4ce6 100644 --- a/site-modules/profile/templates/varnish/vhost.vcl.erb +++ b/site-modules/profile/templates/varnish/vhost.vcl.erb @@ -1,59 +1,60 @@ # vhost_<%= @servername %>.vcl # # Settings for the <%= @servername %> vhost # # File managed by puppet. All modifications will be lost. sub vcl_recv { if ( <% @aliases.each do |alias_| -%> req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" || <% end -%> req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$" ) { + var.set("known-vhost", "yes"); if (std.port(server.ip) == <%= scope['::profile::varnish::http_port'] %>) { set req.http.x-redir = "https://" + req.http.host + req.url; return(synth(850, "Moved permanently")); } else { <% if @websocket_support -%> if (req.http.upgrade ~ "(?i)websocket") { return (pipe); } <% end -%> set req.http.X-Forwarded-Proto = "https"; set req.backend_hint = <%= @backend_name %>; } <% if @vcl_recv_extra -%> <%= @vcl_recv_extra %> <% end -%> } } <% if @websocket_support -%> sub vcl_pipe { if (req.http.upgrade) { set bereq.http.upgrade = req.http.upgrade; set bereq.http.connection = req.http.connection; } } <% end -%> <% if @hsts_max_age or @vcl_deliver_extra -%> sub vcl_deliver { if ( <% @aliases.each do |alias_| -%> req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" || <% end -%> req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$" ) { <% if @hsts_max_age -%> if (std.port(server.ip) != <%= scope['::profile::varnish::http_port'] %>) { set resp.http.Strict-Transport-Security = "max-age=<%= @hsts_max_age %>;"; } <% end -%> <% if @vcl_deliver_extra -%> <%= @vcl_deliver_extra %> <% end -%> } } <% end -%>