simp_apache
Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp_apache', '7.1.0'
Learn more about managing modules with a PuppetfileDocumentation
Reference
See the Reference Documentation for full details
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
Reference
Table of Contents
Classes
simp_apache
: Configures an Apache serversimp_apache::conf
: This class sets up apache.conf.simp_apache::install
: Apache package managementsimp_apache::service
: Control the Apache servicesimp_apache::ssl
: Configures an Apache server with SSL supportsimp_apache::validate
: Should be used as input tovalidate_deep_hash
when managingldap
Defined types
simp_apache::site
: This adds a 'site' to your configuration.
Resource types
htaccess
: Manages the contents of htaccess files using the htpasswd command. Right now the $namevar must be a path/user combination as documented under
Functions
simp_apache::auth
: Takes a hash of arguments related to Apache 'Auth' settings and returns a reasonably formatted set of options. Currently, only htaccess andsimp_apache::limits
: Takes a hash of arguments related to Apache 'Limits' settings and returns a reasonably formatted set of options. Currently, host, user ('valsimp_apache::munge_httpd_networks
: Provides a method by which an array of networks can be properly formatted for an Apache Allow/Deny segment. This handles the case of 0.0.0.0
Data types
Simp_apache::LogSeverity
: Valid log serveries for Apache
Classes
simp_apache
Ensures that the appropriate files are in the appropriate places and can
optionally rsync the /var/www/html
content.
Ideally, we will move over to the Puppet Labs apache module in the future but it's going to be quite a bit of work to port all of our code.
Parameters
The following parameters are available in the simp_apache
class.
data_dir
Data type: Stdlib::AbsolutePath
The location where apache web data should be stored. Set to /srv/www for legacy reasons.
Default value: '/var/www'
rsync_web_root
Data type: Boolean
Whether or not to rsync over the web root.
Default value: true
ssl
Data type: Boolean
Whether or not to enable SSL. You will need to set the Hiera variables for apache::ssl appropriately for your needs.
Default value: true
rsync_source
Data type: String
The source on the rsync server.
Default value: "apache_${::environment}_${facts['os']['name']}/www"
rsync_server
Data type: Simplib::Host
The name/address of the rsync server.
Default value: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' })
rsync_timeout
Data type: Integer
The rsync connection timeout.
Default value: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 2 })
simp_apache::conf
This class sets up apache.conf.
- See also
- The
documentation* following parameters are referenced in the stock apache
- The
Parameters
The following parameters are available in the simp_apache::conf
class.
httpd_timeout
Data type: Integer
The Timeout variable. Renamed to not conflict with the Puppet reserved word 'timeout'.
Default value: 120
httpd_loglevel
Data type: Simp_apache::LogSeverity
The LogLevel variable. Renamed to not conflict with the Puppet reserved word 'loglevel'.
Default value: 'warn'
listen
Data type: Array[Variant[Simplib::Host::Port, Simplib::Port]]
An array of ports upon which Apache should listen.
NOTE: If you are using an IPv6 with a port, you need to bracket the address
Default value: [80]
firewall
Data type: Boolean
Whether or not to use the SIMP IPTables module.
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
syslog
Data type: Boolean
Whether or not to use the SIMP Rsyslog module.
Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })
syslog_target
Data type: Stdlib::AbsolutePath
If $syslog is true, store the apache logs at this location.
Default value: '/var/log/httpd'
purge
Data type: Boolean
Whether or not to purge the configuration directories.
Default value: true
keepalive
Data type: Boolean
Default value: false
maxkeepalive
Data type: Integer
Default value: 100
keepalivetimeout
Data type: Integer
Default value: 15
prefork_startservers
Data type: Integer
Default value: 8
prefork_minspareservers
Data type: Integer
Default value: 5
prefork_maxspareservers
Data type: Integer
Default value: 20
prefork_serverlimit
Data type: Integer
Default value: 3000
prefork_maxclients
Data type: Integer
Default value: 3000
prefork_maxrequestsperchild
Data type: Integer
Default value: 4000
worker_startservers
Data type: Integer
Default value: 2
worker_maxclients
Data type: Integer
Default value: 3000
worker_minsparethreads
Data type: Integer
Default value: 25
worker_maxsparethreads
Data type: Integer
Default value: 75
worker_threadsperchild
Data type: Integer
Default value: 25
worker_maxrequestsperchild
Data type: Integer
Default value: 0
includes
Data type: Optional[Array[String]]
Default value: undef
serveradmin
Data type: String
Default value: 'root@localhost'
servername
Data type: Optional[String]
Default value: undef
allowroot
Data type: Simplib::Netlist
Default value: ['127.0.0.1','::1']
defaulttype
Data type: String
Default value: 'text/plain'
enablemmap
Data type: Boolean
Default value: true
enablesendfile
Data type: Boolean
Default value: true
user
Data type: String
Default value: 'apache'
group
Data type: String
Default value: 'apache'
logformat
Data type: String
Default value: '%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"'
logfacility
Data type: Simplib::Syslog::LowerFacility
Default value: 'local6'
simp_apache::install
Apache package management
Parameters
The following parameters are available in the simp_apache::install
class.
httpd_ensure
Data type: String
The ensure status the httpd package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
mod_ldap_ensure
Data type: String
The ensure status the mod_ldap package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
mod_ssl_ensure
Data type: String
The ensure status the mod_ssl package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
simp_apache::service
Control the Apache service
Parameters
The following parameters are available in the simp_apache::service
class.
manage
Data type: Boolean
Whether or not to manage the service
If set to false
, you may need to add the service name to
svckill::ignore
if you are in enforcing mode.
Default value: true
service_name
Data type: String[1]
The name of the service to manage
Default value: 'httpd'
ensure
Data type: String[1]
The state that the service should be in
Default value: 'running'
enable
Data type: Boolean
Whether or not to enable the daemon
Default value: true
hasstatus
Data type: Boolean
Whether or not the service has a 'status' command
Default value: true
hasrestart
Data type: Boolean
If set to true
then the contents of $restart
will be ignored
Default value: false
restart
Data type: String[1]
A specific command to use to restart the daemon
- Ignored if
$hasrestart
is set totrue
- The
sleep 3
is in place to prevent a race condition from happening and thereload || restart
is in place to try to force a clean restart if a reload fails to do the job.
Default value: '/bin/sleep 3; /sbin/service httpd reload || /sbin/service httpd restart'
simp_apache::ssl
Ensures that the appropriate files are in the appropriate places and have the correct permissions.
@NOTE: Any parameter that comes directly from Apache is not documented here and should be found in the Apache mod_ssl reference documentation.
Parameters
The following parameters are available in the simp_apache::ssl
class.
listen
Data type: Array[Variant[Simplib::Host::Port, Simplib::Port]]
An array of ports upon which the stock SSL configuration should listen.
@NOTE: If you are using an IPv6 with a port, you need to bracket the address
Default value: [443]
trusted_nets
Data type: Simplib::Netlist
An array of networks that you trust to connect to your server.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] })
logformat
Data type: String
The default LogFormat to be used for SSL logging. Set to '' to disable logging.
Default value: '%t %h %{SSL_CLIENT_S_DN_CN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %s'
enable_default_vhost
Data type: Boolean
Whether to activate the default VirtualHost on the $listen port.
Default value: true
firewall
Data type: Boolean
Whether to use the SIMP iptables module.
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false, })
pki
Data type: Variant[Boolean,Enum['simp']]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/simp_apache/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/simp_apache/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::AbsolutePath
This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/simp_apache/pki.
Default value: '/etc/pki/simp_apps/simp_apache/x509'
app_pki_key
Data type: Stdlib::AbsolutePath
Path and name of the private SSL key file
Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::AbsolutePath
Path and name of the public SSL certificate
Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"
app_pki_ca_dir
Data type: Stdlib::AbsolutePath
Path to the CA.
Default value: "${app_pki_dir}/cacerts"
haveged
Data type: Boolean
Whether to use the SIMP haveged module to assist with entropy generation.
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })
openssl_cipher_suite
Data type: Array[String]
The Cipher Suite the client is permitted to negotiate in the SSL handshake phase.
Default value: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT', '!MEDIUM'] })
ssl_protocols
Data type: Array[String]
This directive can be used to control which versions of the SSL/TLS protocol will be accepted in new connections.
Default value: ['TLSv1.2']
ssl_honor_cipher_order
Data type: Boolean
Option to prefer the server's cipher preference order.
Default value: true
sslverifyclient
Data type: String
This directive sets the Certificate verification level for the Client Authentication.
Default value: 'require'
sslverifydepth
Data type: Integer
This directive sets how deeply mod_ssl should verify before deciding that the clients don't have a valid certificate.
Default value: 10
simp_apache::validate
or limits
ACLs
Defined types
simp_apache::site
It simply pulls a $name'd template from the templates/sites directory under the apache module, or somewhere else if you specify. The name should be 'something'.conf and should be an Apache includable configuration file.
Examples
site { 'public': }
Parameters
The following parameters are available in the simp_apache::site
defined type.
content
Data type: String
Set this to something other than 'base' if you with to write in your own custom content on the fly.
Default value: 'base'
Resource types
htaccess
Manages the contents of htaccess files using the htpasswd command. Right now the $namevar must be a path/user combination as documented under the $name parameter. Hopefully, this can be fixed in the future.
Note: If you want different permissions than root:root 640, you will need to create a 'file' object to manage the target file.
Properties
The following properties are available in the htaccess
type.
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
password
The user's new password either as an SHA hash or as plain text. Anything not prefixed with {SHA} will be treated as plain text.
Parameters
The following parameters are available in the htaccess
type.
name
namevar
A variable of the format 'path:username'. This will hopefully be split in the future but, for now, you cannot use usernames that contain a colon ':'.
provider
The specific backend to use for this htaccess
resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
Functions
simp_apache::auth
Type: Ruby 4.x API
Takes a hash of arguments related to Apache 'Auth' settings and returns a reasonably formatted set of options.
Currently, only htaccess and LDAP support are implemented.
Examples
Htaccess and LDAP authentication:
simp_apache::auth({
# Htaccess support
'file' => {
'enable' => 'true',
'user_file' => '/etc/httpd/conf.d/test/.htdigest'
}
'ldap' => {
'enable' => 'true',
# The LDAP server URI in Apache form.
'url' => ['ldap://server1','ldap://server2'],
# Must be one of 'NONE', 'SSL', 'TLS', or 'STARTTLS'
'security' => 'STARTTLS',
'binddn' => 'cn=happy,ou=People,dc=your,dc=domain',
'bindpw' => 'birthday',
'search' => 'ou=People,dc=your,dc=domain',
# Whether or not your LDAP groups are POSIX groups.
'posix_group' => 'true'
}
}
)
Output:
AuthName "Please Authenticate"
AuthType Basic
AuthBasicProvider ldap file
AuthLDAPUrl "ldap://server1 server2/ou=People,dc=your,dc=domain" STARTTLS
AuthLDAPBindDN "cn=happy,ou=People,dc=your,dc=domain',
AuthLDAPBindPassword 'birthday'
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthUserFile /etc/httpd/conf.d/elasticsearch/.htdigest
simp_apache::auth(Hash $auth_hash)
Takes a hash of arguments related to Apache 'Auth' settings and returns a reasonably formatted set of options.
Currently, only htaccess and LDAP support are implemented.
Returns: String
Formatted Apache authentication settings
Examples
Htaccess and LDAP authentication:
simp_apache::auth({
# Htaccess support
'file' => {
'enable' => 'true',
'user_file' => '/etc/httpd/conf.d/test/.htdigest'
}
'ldap' => {
'enable' => 'true',
# The LDAP server URI in Apache form.
'url' => ['ldap://server1','ldap://server2'],
# Must be one of 'NONE', 'SSL', 'TLS', or 'STARTTLS'
'security' => 'STARTTLS',
'binddn' => 'cn=happy,ou=People,dc=your,dc=domain',
'bindpw' => 'birthday',
'search' => 'ou=People,dc=your,dc=domain',
# Whether or not your LDAP groups are POSIX groups.
'posix_group' => 'true'
}
}
)
Output:
AuthName "Please Authenticate"
AuthType Basic
AuthBasicProvider ldap file
AuthLDAPUrl "ldap://server1 server2/ou=People,dc=your,dc=domain" STARTTLS
AuthLDAPBindDN "cn=happy,ou=People,dc=your,dc=domain',
AuthLDAPBindPassword 'birthday'
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthUserFile /etc/httpd/conf.d/elasticsearch/.htdigest
auth_hash
Data type: Hash
Hash containing desired Apache authentication methods and relevant parameters as key value pairs. The key is the authentication method, while the corresponding value is a Hash of relevant parameters.
simp_apache::limits
Type: Ruby 4.x API
Takes a hash of arguments related to Apache 'Limits' settings and returns a reasonably formatted set of options.
Currently, host, user ('valid-user' only), ldap-user, and ldap-group limits are supported. The hash keys for these are host limit: 'hosts' user limit: 'users'; only applies for 'valid-user', all others assumed LDAP users ldap-user limit: 'users' ldap-group limit: 'ldap_groups'
Groups of LDAP user primary groups are not supported since you would need to know the GID.
Examples
Host, user and ldap_group limits:
apache_limits(
{
# Set the defaults
# If this is omitted, it just defaults to 'GET'.
'defaults' => [ 'GET', 'POST', 'PUT' ],
# Allow the hosts/subnets below to GET, POST, and PUT to ES.
'hosts' => {
'1.2.3.4' => 'defaults',
'3.4.5.6' => 'defaults',
'10.1.2.0/24' => 'defaults'
},
# You can make a special user 'valid-user' that will translate to
# allowing all valid users.
'users' => {
# Allow user bob GET, POST, and PUT to ES.
'bob' => 'defaults',
# Allow user alice GET, POST, PUT, and DELETE to ES.
'alice' => ['GET','POST','PUT','DELETE']
},
'ldap_groups' => {
# Let the nice users read from ES.
"cn=nice_users,ou=Group,${::basedn}" => 'defaults'
}
}
)
Output:
<Limit DELETE>
Order allow,deny
Require user alice
Satisfy any
</Limit>
<Limit GET>
Order allow,deny
Allow from 1.2.3.4
Allow from 3.4.5.6
Allow from 10.1.2.0/24
Require ldap-user bob
Require ldap-user alice
Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
Satisfy any
</Limit>
<Limit POST>
Order allow,deny
Allow from 1.2.3.4
Allow from 3.4.5.6
Allow from 10.1.2.0/24
Require ldap-user bob
Require ldap-user alice
Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
Satisfy any
</Limit>
<Limit PUT>
Order allow,deny
Allow from 1.2.3.4
Allow from 3.4.5.6
Allow from 10.1.2.0/24
Require ldap-user bob
Require ldap-user alice
Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
Satisfy any
</Limit>
simp_apache::limits(Hash $limits_hash)
Takes a hash of arguments related to Apache 'Limits' settings and returns a reasonably formatted set of options.
Currently, host, user ('valid-user' only), ldap-user, and ldap-group limits are supported. The hash keys for these are host limit: 'hosts' user limit: 'users'; only applies for 'valid-user', all others assumed LDAP users ldap-user limit: 'users' ldap-group limit: 'ldap_groups'
Groups of LDAP user primary groups are not supported since you would need to know the GID.
Returns: String
Formatted Apache limits settings
Examples
Host, user and ldap_group limits:
apache_limits(
{
# Set the defaults
# If this is omitted, it just defaults to 'GET'.
'defaults' => [ 'GET', 'POST', 'PUT' ],
# Allow the hosts/subnets below to GET, POST, and PUT to ES.
'hosts' => {
'1.2.3.4' => 'defaults',
'3.4.5.6' => 'defaults',
'10.1.2.0/24' => 'defaults'
},
# You can make a special user 'valid-user' that will translate to
# allowing all valid users.
'users' => {
# Allow user bob GET, POST, and PUT to ES.
'bob' => 'defaults',
# Allow user alice GET, POST, PUT, and DELETE to ES.
'alice' => ['GET','POST','PUT','DELETE']
},
'ldap_groups' => {
# Let the nice users read from ES.
"cn=nice_users,ou=Group,${::basedn}" => 'defaults'
}
}
)
Output:
<Limit DELETE>
Order allow,deny
Require user alice
Satisfy any
</Limit>
<Limit GET>
Order allow,deny
Allow from 1.2.3.4
Allow from 3.4.5.6
Allow from 10.1.2.0/24
Require ldap-user bob
Require ldap-user alice
Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
Satisfy any
</Limit>
<Limit POST>
Order allow,deny
Allow from 1.2.3.4
Allow from 3.4.5.6
Allow from 10.1.2.0/24
Require ldap-user bob
Require ldap-user alice
Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
Satisfy any
</Limit>
<Limit PUT>
Order allow,deny
Allow from 1.2.3.4
Allow from 3.4.5.6
Allow from 10.1.2.0/24
Require ldap-user bob
Require ldap-user alice
Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
Satisfy any
</Limit>
limits_hash
Data type: Hash
Hash containing desired Apache limits
simp_apache::munge_httpd_networks
Type: Ruby 4.x API
Provides a method by which an array of networks can be properly formatted for an Apache Allow/Deny segment.
This handles the case of 0.0.0.0/0, which Apache doesn't care for and this function will convert to 'ALL'.
The case where a / is passed is also handled since Apache doesn't care for these at all.
simp_apache::munge_httpd_networks(Array $networks)
Provides a method by which an array of networks can be properly formatted for an Apache Allow/Deny segment.
This handles the case of 0.0.0.0/0, which Apache doesn't care for and this function will convert to 'ALL'.
The case where a / is passed is also handled since Apache doesn't care for these at all.
Returns: Array
Array of network s formated appropriately for Apache
networks
Data type: Array
Array of networks to be converted to Apache format
Data types
Simp_apache::LogSeverity
Valid log serveries for Apache
Alias of Enum['emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug']
-
Tue Jul 06 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0
- Fixed
- Ensure that all file resources that manage more than permissions have an 'ensure' attribute - See PUP-7599
- Changed
- Moved the 'magic' file into an EPP template to work better with Bolt
- Fixed
-
Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.1.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Fri Feb 26 2021 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2
- Use systemd to reload/restart the httpd service.
- Expanded simp/rsyslog dependendency range to < 9.0.0.
- Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.0.2
- Removed EL6 from supported OSes
- Thu Nov 05 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0
- Default to only TLS1.2
- Thu Jan 16 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.0-0
- Update Puppet module to support EL8
- Remove deprecated Puppet 3 API functions:
- apache_auth: replaced by simp_apache::auth
- apache_limits: replaced by simp_apache::limits
- munge_httpd_networks: replaced by simp_apache::munge_httpd_networks
- Update the upper bound of simp-simplib to < 5.0.0
- Wed Jul 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Split out service management into a
simp_apache::service
class - Provide users with a Hiera-driveable option to not manage the service
- Add REFERENCE.md
- Wed Jul 17 2019 Robert Vincent pillarsdotnet@gmail.com - 6.2.0-0
- Ensure that the simp_apache::munge_httpd_networks does not attempt to modify passed parameters.
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 6.2.0-0
- Add v2 compliance_markup data
- Drop support for Puppet 4
- Add support for Puppet 6
- Add support for puppetlabs-stdlib 6
- Mon Mar 25 2019 Jim Anderson thesemicolons@protonmail.com - 6.1.3-0
- Added command to force purging of the conf/ and conf.d/ folders in /etc/httpd.
- Thu Mar 21 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.1.2-0
- Removed unnecessary bracketize function
- Wed Feb 13 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0
- Use simplib::passgen() in lieu of passgen(), a deprecated simplib Puppet 3 function.
- Use simplib::nets2cidr in simp_apache::munge_httpd_networks in in lieu of nets2cidr(), a deprecated simplib Puppet 3 function.
- Use simplib::ipaddresses in lieu of ipaddresses(), a deprecated simplib Puppet 3 function.
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0
- Added $package_ensure parameters to simp_apache::install
- $httpd_ensure $mod_ldap_ensure $mod_ssl_ensure
- Changed the package from 'latest' to 'installed'
- Each ensure parameter will also respect
simp_options::package_ensure
- Update badges and contribution guide URL in README.md
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- Drop Hiera 4 support
- Wed Sep 05 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.1.0-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Tue Jul 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0
- Support for Puppet5/OEL
- fixed htaccess tests for Gitlab
- Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 6.0.2-0
- Update systemd fixtures and CI assets
- Update version range of auditd dependency in metadata.json
- Mon Apr 16 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.2-0
- set owned to simp_apache::user instead of simp_apache group on configuration files.
- remove simpcat as dependency
- cleaned up fixtures file
- Thu Jun 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0
- Create namespaced, Puppet 4 versions of externally-used Puppet 3 functions and mark the Puppet 3 functions as deprecated. They will be removed in a later release.
- apache_auth should be replaced with simp_apache::auth
- apache_limits should be replaced with simp_apache::limits
- munge_httpd_networks should be replaced with simp_apache::munge_httpd_networks
- Update puppet requirement and remove OBE pe requirement in metadata.json
- Mon Jan 23 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0
- Fixed dependency logic with mod_ldap to not install it on CentOS 7
- Rsyslog calls no longer include implied logic
- Rsync now calls the correct share
- Tue Jan 17 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- simp_apache::site now includes simp_apache
- Tue Jan 10 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated pki scheme
- Application certs are managed in /etc/pki/simp_apps/simp_apache/x509
- Fri Dec 30 2016 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0
- Renamed
add_site
tosite
- Strongly typed module
- Updated module assets
- Wrote a basic class acceptance test
- Wed Dec 07 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated catalysts to take defaults from simp_options
- Thu Dec 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Updated to use the environment-aware rsync in SIMP 6
- Thu Dec 01 2016 Nicholas Hughes, Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0
- Prevent log duplication and log where intended
- Changed naming to XX or YY to come before the default Z_default.conf for local rules, but after the numbered configs used by the log_server class.
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0
- update requirement versions
- Fri Nov 18 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Fri Nov 11 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Fixed bug in which htaccess type would fail to compile as it required 'sha1' instead of 'digest/sha1'
- Fixed bug in which htaccess provider dropped the first line of an existing htaccess file, when that line did not contain the Puppet-management warning comment.
- Eliminated use of deprecated Puppet.newtype
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Deconflict with the puppetlabs-apache module and move to the name 'simp_apache'
- Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.6-0
- Fix Forge
haveged
dependency name
- Tue Jul 19 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 4.1.5-0
- Add default Require to apache_limits() output
- Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0
- Haveged included by default for entropy generation.
- Sun May 22 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0
- Ensure that PKI certificates that are downloaded without using simp::pki are copied recursively.
- Thu Apr 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.2-0
- Ensure that the munge_httpd_networks array is flattened on return. This is a Ruby 1.9 compatiblity issue.
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-0
- Migrated use_simp_pki to a global catalyst.
- Tue Mar 01 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-21
- Added compliance function support
- Tue Jan 26 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-20
- Normalized common static module assets
- Thu Jan 07 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-19
- Updated to correct some ordering issues.
- Thu Nov 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-18
- Updated to switch from 'lsb' facts to 'operatingsystem' facts for environments that don't install the LSB packages.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-17
- migration to simplib and simpcat (lib/ only)
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-16
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-15
- Changed puppet-server requirement to puppet
- Mon Dec 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-14
- Updated the templates to use mod_version instead of custom apache_version fact.
- Ensure that mod_ldap in installed by default on TC versions > 5.0.
- Properly scoped all custom function definitions.
- Thu Dec 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Updated to properly handle the SSL protocols in Apache. We now add a
- if one is warranted and just keep the entry if it starts with a + a minus or is 'all'.
- Fri Oct 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12
- CVE-2014-3566: Updated protocols to mitigate POODLE.
- Mon Sep 08 2014 Trevor Vaughan tvaughan@onyxpoint.com 4.1.0-11
- Properly confined the apache_version fact.
- Updated the apache::validate hash to not include booleans. They are not allowed on the left hand side of the comparison hash.
- Tue Aug 26 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-10
- Fixed the apache_version fact to return unkown when Apache is not installed.
- Tue Jul 29 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Fix munge_httpd_networks
- Updated to use /var/www for SIMP>=5
- Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Updated munge_httpd_networks to strip out entries that are blank or nil.
- Mon Jun 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Fixed SELinux check for when selinux_current_mode is not found.
- RHEL7 compatiblity updates
- Added a fact, 'apache_version', to allow for minute differences between the 2.2 and 2.4 versions of Apache
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-8
- Removed MD5 file checksums for FIPS compliance.
- Fri Jun 13 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-7
- Unbound apache package from service to fix ordering in bootstrap
- Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-6
- Updated cipher set in SSL to be an array instead of a string.
- Wed Apr 30 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5
- Removed all references to $::primary_ipaddress and replaced them with a collection of all local IP addresses in the ERB files.
- Tue Apr 29 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-5
- Updated apache_limits required directives from core to mod_authnz_ldap, by changing Require user/group "foo" to Require ldap-user/group foo.
- Mon Apr 14 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Removed the ks and yum sites and moved them into the simp module.
- Removed the runpuppet templated and moved it into the simp module.
- Fri Apr 04 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4
- Selinux booleans now set if mode != disabled
- Wed Mar 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Removed the apache_syslog script and replaced all calls with calls to logger for scalability.
- Updated the munge_httpd_networks function to call nets2cidr where appropriate and accept pretty much everything else since Apache can take so many different options.
- Removed the broken PKI copy code and call the new pki::copy define.
- Fri Mar 14 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Re-added the ability to have Apache log via syslog directly.
- Removed the passgen template and replaced it with a call to the passgen function.
- Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Ensure that apache::conf::allowroot defaults to ['127.0.0.1','::1']
- Small amounts of cleanup to start complying with the PL coding standards.
- Added management of the $data_dir (/srv/www) to the ::apache class. This removes it from floating in the manifests space.
- Modified the apache restart script to do a reload and then restart if that fails. This should ensure minimal downtime of all running apps.
- Updated the runpuppet script to ensure that the clients will properly use the new variables and that servers can kick other servers.
- Update to runpuppet to ensure that the first run of puppet has a waitforcert to allow for manual certificate signing. Submission from Lab76.org.
- Thu Jan 09 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Updated the runpuppet init script such that it will remain on the system but in a completely disabled state.
- Tue Nov 12 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Restructured the entire apache module to be hiera friendly.
- Eliminated all singleton defines.
- Added the ability to use a custom PKI source and not use the SIMP source.
- Added toggles for all SIMP specific items.
- Thu Oct 03 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-14
- Updated all erb templates to properly scope variables.
- Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-14
- Use versioncmp for all version comparisons.
- Wed Sep 11 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0-13
- Added an apache::validate class that currently supports the apache_auth material but could be used to hold other values.
- Added an apache_limits function which takes a hash of options and returns a formatted set of 'Limit' statements suitable for direct insertion into an Apache configuration.
- Added an apache_auth function which takes a hash of options and returns a formatted segment of Apache auth sections. Currently supports 'file' (htpasswd) and 'ldap'.
- Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com 4.0-12
- Work performed jointly with Kendall Moore kmoore@keywcorp.com
- Named properly switches between chroot and non-chroot versions based on whether or not SELinux is enforcing.
- Mon Feb 25 2013 Maintenance 4.0-12
- Added a call to $::rsync_timeout to the rsync call since it is now required.
- Wed Feb 20 2013 Maintenance 4.0-11
- Updated the ssl.conf and httpd.conf templates because function calls require an argument of an array rather than allowing for single string arguments.
- Fri Jan 04 2013 Maintenance 4.0-10
- Added a custom function 'munge_httpd_networks' that will accept an array, or string, and return an array of translated network addresses. At this time, the only translation is from 0.0.0.0* to 'ALL' since apache really doesn't like 0.0.0.0/0.
- Mon Oct 22 2012 Maintenance 4.0-9
- Updated the runpuppet script to not log remotely during the puppet runs so that large numbers of spawning client won't kill the master.
- Wed Oct 03 2012 Maintenance 4.0.0-8
- Added a sleep statement after the reboot in the runpuppet script to keep it other startup scripts from continuing.
- Thu Jul 05 2012 Maintenance 4.0.0-7
- Cleaned up the yum and ks templates.
- Added the Option +Indexes to the yum and ks configurations. This allows for browsing of the yum repositories which is important for virt-manager and other kickstart utilities.
- Thu Jun 07 2012 Maintenance 4.0.0-6
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Updated to work with IPv6 addresses.
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 4.0.0-5
- Improved test stubs.
- Mon Feb 13 2012 Maintenance 4.0-4
- Added the ability for the apache user to be in multiple groups.
- Fri Dec 23 2011 Maintenance 4.0-3
- Added an initial set of tests.
- Scoped all of the top level variables.
- Modified the runpuppet template so that it properly detects the system's status as a master.
- Replaced instances of 'ipaddress' with 'primary_ipaddress'
- Sat Nov 19 2011 Maintenance 4.0-2
- Moved the 'domain' entries after the ip addresses so that DNS lookups would happen last.
- Fri Aug 12 2011 Maintenance 4.0-1
- Added support for a variable 'ks_ntp_servers' which will override the 'ntp_servers' variable from vars.pp inside of runpuppet.erb.
- Ensure that the '-b' option is passed to ntpdate in runpuppet.erb.
- Tue Jul 12 2011 Maintenance 4.0-0
- Added a variable $runpuppet_print_stats to runpuppet.erb that will enable --evaltrace and --summarize if set to 'true'.
- Updated the htaccess type to properly work with Puppet >= 2.6
- Made some RHEL6 specific compatibilty changes.
- Added additional tags to the puppet runs in runpuppet.
- Mon Apr 18 2011 Maintenance - 2.0.0-3
- Changed puppet://$puppet_server/ to puppet:///
- The dhcp module now expects to have an associated rsync space that is password protected.
- Added comments to apache::ssl::setup to note that users will need to manage their own service restarts if they use alternate certificates.
- Ensure that apache restarts if any part of the certificte space is changed.
- Additional options have been added to the SSL configuration for flexibility.
- Removed Ganglia related material.
- Remove welcome.conf on the systems.
- Updated to use syslog by default.
- Fri Feb 04 2011 Maintenance - 2.0.0-2
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Bug fix in the puppet_passenger template to ensure that PassengerMaxPoolSize is not set to 0 and also accounts for other units coming back from Facter.
- Converted to using rsync native type
2.0.0-1
- Added 'Allow from' to ganglia site template.
- Updated default values for number of passenger instances
- Updated default values for MaxClients and ServerLimit
- Updated runpuppet to use --no-splay
- Updated default value of purge in httpd_conf to false
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Fri Jan 7 2011 Maintenance - 1.0-6
- Now ensure that the apache rsync does not delete the underlying files. This turned out to be a poor initial design decision.
- Fixed bug that causes the apache rsync space to never be retrieved.
- Updated passenger template to use correct rubylib path
- Added a httpd_conf $purge variable that translates into whether or not to remove anything that we don't have in rsync.
- Wed Jan 5 2011 Maintenance - 2.0.0
- Updated for the simp 2.0.0-alpha release
- Fixed bug causing apache rsync space to never be retrieved.
- Mon Dec 6 2010 Maintenance - 1.0-5
- Added the ability to modify the main user/group that apache runs as. The group of all component files is still set to 'apache' so you'll need to take that into account when you configure your site files.
- Added Ganglia Site
- Thu Oct 28 2010 Maintenance - 1.0-4
- Modified puppet_mongrel template to use revocation file.
- Tue Oct 26 2010 Maintenance - 1.0-3
- Converting all spec files to check for directories prior to copy.
- Thu Aug 12 2010 Maintenance 1.0-2
- runpuppet.erb now redirects all output to the log file and runs in verbose mode.
- Wed Jul 21 2010 Maintenance 1.0-1
- More refactoring.
- Wed Jun 02 2010 Maintenance 1.0-0
- CRLs now work properly.
- Passenger listens on 8140 and 8141 by default.
- Improved puppet_passenger template.
- Now point the certs in the mongrel and passenger templates at the local CA certs, not the CA server certs.
- Code refactor.
- Thu Apr 29 2010 Maintenance 0.1-24
- Changed operatingsystemrelease to lsbmajdistrelease since RHEL5.5 shows as 5.5 and not 5.
- Wed Mar 17 2010 Maintenance 0.1-23
- Added a small sleep to the apache restart that prevents a race condition caused by calling 'service httpd restart' just after 'service httpd stop'
- Thu Jan 28 2010 Maintenance 0.1-22
- Fixed a bug with the format of the puppet command variable in runpuppet.
- The script now executes cleanly out of the box.
- Thu Jan 14 2010 Maintenance 0.1-21
- Added 'TraceEnable off' to the default httpd.conf.
- Tue Dec 15 2009 Maintenance 0.1-20
- Add a yum clean all prior to running the puppetd run in runpuppet.
- Thu Nov 05 2009 Maintenance 0.1-19
- Prevent the runpuppet script from printing diff information to the logs.
Dependencies
- simp/haveged (>= 0.3.2 < 1.0.0)
- simp/iptables (>= 6.0.0 < 7.0.0)
- simp/logrotate (>= 6.0.0 < 7.0.0)
- simp/simplib (>= 3.7.0 < 5.0.0)
- simp/pki (>= 6.0.0 < 7.0.0)
- simp/rsync (>= 6.0.0 < 7.0.0)
- simp/rsyslog (>= 7.0.0 < 9.0.0)
- simp/auditd (>= 7.0.0 < 9.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
pupmod-simp-apache - A Puppet Module for managing the Apache Web Server -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.