updated README

2017-07-09 16:08:26 +01:00
parent 84692e42e9
commit ce399480a4
4 changed files with 238 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 ### Synopsis
 `Apache httpd` is a very powerful and widely used web server.

-`cd_apache` automates the installation and configuration of httpd. This module is a base module providing the httpd service itself, meaning that it is designed to be used by other role- or profile modules, adding more detailed configurations specific to the particular use case, i.e. full content servers, front-end for application servers, proxies etc.
+`cd_apache` automates the installation and configuration of httpd. This module is a base module simply providing the httpd service itself to be used by other role- or profile modules, adding more detailed configurations specific to the particular use case.

 ### WARNING
 `**__!!! Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previuos configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production!!! __**`
@@ -44,6 +44,16 @@ Configuration
 Maintenance
 * manage the service

+#### vHosts
+As stated in the ynopsis, this module was written particularly for usage as base module. `Apache httpd` has a great number of usae cases where it actually is not used directly as full blown webser, but instead as 'sub-service'. Examples here would be
+
+* frontend proxy for other applications to avoid having to put the port number into the URL
+* applications like phpMyAdmin, phpPgAdmin
+* WordPress
+* Nagios etc.
+
+With those use cases, you would provide the vHosts at the Puppet module for the application, not the base module.  Also, if you plan to use this module to run a plain fully fledged web server, you would use a role- or profile class/module on top of `cd_apache` to set up your vHost exactly as needed. Examples for regular basic vHost configuration files are included in the examples directory. The exact layout for your particular vhost configuration files depend a lot on your application and organization requirements, and cannot be predicted from outside per se.
+
 ### Repo Structure
 Repostructure as been moved to REPOSTRUCTURE.md

--- a/manifests/sites/vhost.pp
+++ b/manifests/sites/vhost.pp
@@ -0,0 +1,156 @@
+##  cd_apache::sites::vhost
+# Module name: cd_apache
+# Author: Arne Teuke (arne_teuke@confdroid.com)
+# License:
+#    This file is part of cd_apache.
+#
+#    cd_apache is used for providing automatic configuration of
+#    Apache Websites.
+#    Copyright (C) 2014  confdroid (copyright@confdroid.com)
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# @summary Define to allow setting up individual multiple virtual hosts.
+# @param  [boolean] ae_use_https Whether or not to use https. It is highly
+#   recommended to **__always__** use https. Using certbot/letsencypt as
+#   automated CA certification option, it does create additional costs but
+#   increases traffic security of your website for your users.
+# @param  [boolean] ae_http_https_fw Whether or not to forward http traffic to
+#   https. Recommended. Only active if `ae_use_https` is set to `true`.
+# @param  [string]  ae_vhost_port Specify the port number for the vhost
+# @param  [string]  ae_ssl_vhost_port Specify the ssl port number for the vhost.
+# @param  [string] ae_server_admin email address, where problems with the server
+#   should be e-mailed to. This address appears on some server-generated pages,
+#   such as error documents.  e.g. admin@your-domain.com
+# @param  [string]  ae_server_name What domain name should the vhost listen to,
+#   i.e. example.com. do not use `www.` in here as that is automatically added
+#   through the template, and the server_name  itself is added through aliases.
+# @param  [string] ae_vhost_root_path The root path where your vhost will live.
+#   i.e. /var/www/html. This is used to build a string for the full doc path
+#   together with  `ae_server_name` i.e. /var/www/html/example.com
+# @param  [string]  ae_allow_from Specify a network address here if trying to
+#   strict access to the website to a particular network range. Otherwise leave
+#   `all` to allow unrestricted access.
+# @param  [boolean] ae_use_access_log Whether or not to keep an access log for
+#   your website. Note that in certain contries it is illegal nowadays to keep
+#   the access log for prolonged time or to keep it at all.
+# @param  [string]  ae_dir_index Specify the directory index, i.e. `index.html`
+#   or `index.php` etc.
+# @param  [string]  ae_vhost_loglevel Specify the LogLevel.
+# @param  [string] ae_ssl_protocol Specify the supported ssl protocols, i.e.
+#   `all TLSv1 -SSLv2 -SSLv3` (i.e. do not support any SSL version as they all
+#   are compromised, use TLS only).
+# @param  [string] ae_ssl_cipher_suite Specify teh cipher suite you want to
+#   support.
+##############################################################################
+define cd_apache::sites::vhost (
+
+$ae_use_https         = true,
+$ae_http_https_fw     = true,
+$ae_vhost_port        = '80',
+$ae_ssl_vhost_port    = '443',
+$ae_server_admin      = 'root@localhost',
+$ae_server_name       = undef,
+$ae_vhost_root_path   = '/var/www/html/',
+$ae_allow_from        = 'all',
+$ae_use_access_log    = false,
+$ae_dir_index         = 'index.html',
+$ae_vhost_loglevel    = 'warn',
+$ae_ssl_protocol      = 'all TLSv1 -SSLv2 -SSLv3',
+$ae_ssl_cipher_suite  = 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP  !PSK !SRP !DSS !RC4',
+$ae_tls_cert_path     = '/etc/pki/tls/certs',
+$ae_tls_key_path      = '/etc/pki/tls/private',
+$ae_ssl_vhost_cert    = "${::domain}.crt",
+$ae_ssl_vhost_key     = "${::domain}.key",
+$ae_ssl_vhost_chain   = "${::domain}.ca-cert",
+$ae_use_certbot       = true,
+
+) {
+
+$ae_manage_cfg        = $::cd_apache::params::ae_manage_cfg
+$ae_conf_d_dir        = $::cd_apache::params::ae_conf_d_dir
+$ae_service           = $::cd_apache::params::ae_service
+$ae_doc_root          = "${ae_vhost_root_path}/${ae_server_name}"
+$ae_vhost_erb         = $::cd_apache::params::ae_vhost_erb
+$ae_vhost_ssl_erb     = $::cd_apache::params::ae_vhost_ssl_erb
+
+
+  # allow creating vhosts but only if we are managing the server configuration
+  if $ae_manage_cfg == true {
+    if $ae_use_https != true {
+
+      file  { "${name}.conf":
+        ensure    =>  file,
+        path      =>  "${ae_conf_d_dir}/${name}.conf",
+        owner     =>  'root',
+        group     =>  'foot',
+        mode      =>  '0644',
+        selrange  =>  s0,
+        selrole   =>  object_r,
+        seltype   =>  httpd_config_t,
+        seluser   =>  system_u,
+        content   =>  template($ae_vhost_erb),
+        notify    =>  Service[$ae_service],
+      }
+    }
+
+    if $ae_use_https == true {
+      if $ae_http_https_fw == true {
+
+        file  { "${name}.conf":
+          ensure    =>  file,
+          path      =>  "${ae_conf_d_dir}/${name}.conf",
+          owner     =>  'root',
+          group     =>  'foot',
+          mode      =>  '0644',
+          selrange  =>  s0,
+          selrole   =>  object_r,
+          seltype   =>  httpd_config_t,
+          seluser   =>  system_u,
+          content   =>  template($ae_vhost_erb),
+          notify    =>  Service[$ae_service],
+        }
+
+        file  { "${name}_ssl.conf":
+          ensure    =>  file,
+          path      =>  "${ae_conf_d_dir}/${name}_ssl.conf",
+          owner     =>  'root',
+          group     =>  'foot',
+          mode      =>  '0644',
+          selrange  =>  s0,
+          selrole   =>  object_r,
+          seltype   =>  httpd_config_t,
+          seluser   =>  system_u,
+          content   =>  template($ae_vhost_ssl_erb),
+          notify    =>  Service[$ae_service],
+        }
+      }
+
+      if $ae_http_https_fw != true {
+
+        file  { "${name}_ssl.conf":
+          ensure    =>  file,
+          path      =>  "${ae_conf_d_dir}/${name}_ssl.conf",
+          owner     =>  'root',
+          group     =>  'foot',
+          mode      =>  '0644',
+          selrange  =>  s0,
+          selrole   =>  object_r,
+          seltype   =>  httpd_config_t,
+          seluser   =>  system_u,
+          content   =>  template($ae_vhost_ssl_erb),
+          notify    =>  Service[$ae_service],
+        }
+      }
+    }
+  }
+}
--- a/templates/vhost/CentOS/6/vhost.erb
+++ b/templates/vhost/CentOS/6/vhost.erb
@@ -0,0 +1,22 @@
+<VirtualHost *:<%= @ae_vhost_port %> >
+    ServerAdmin   <%= @ae_server_admin%>
+    ServerName    www.<%= @ae_server_name %>
+    ServerAlias   <%= @ae_server_name %>
+    DocumentRoot  <%= @ae_doc_root %>
+
+  <% if @ae_use_https == true and @ae_http_https_fw == true -%>
+    Redirect permanent / https://<%= @ae_server_name %>/
+  <% else -%>
+    DirectoryIndex  <%= @ae_dir_index %>
+   <Directory <%= @ae_doc_root -%>
+      AllowOverride none
+      Order Allow,Deny
+      Allow from <%= @ae_allow_from %>
+    </Directory>
+  <% end %>
+    ErrorLog        /var/log/httpd/<%= @ae_server_name%>_error_log
+  <% if @ae_use_access_log == true %>
+    CustomLog /var/log/httpd/<%= @ae_server_name%>_access_log common
+  <% end %>
+  LogLevel <%= @ae_vhost_loglevel %>
+</VirtualHost>
--- a/templates/vhost/CentOS/6/vhost_ssl.erb
+++ b/templates/vhost/CentOS/6/vhost_ssl.erb
@@ -0,0 +1,49 @@
+<VirtualHost *:<%= @ae_ssl_vhost_port %> >
+    ServerAdmin     <%= @ae_server_admin %>
+    DocumentRoot    <%= @ae_doc_root %>
+    ServerName      www.<%= @ae_server_name %>
+    ServerAlias     <%= @ae_server_name %>
+    DirectoryIndex  <%= @ae_dir_index %>
+    ErrorLog        /var/log/httpd/<%= @ae_server_name %>_ssl_error_log
+    TransferLog     /var/log/httpd/<%= @ae_server_name%>_ssl_transfer_log
+  <% if @ae_use_access_log == true -%>
+    CustomLog /var/log/httpd/<%= @ae_server_name%>_ssl_access_log common
+  <% end -%>
+    LogLevel <%= @ae_vhost_loglevel %>
+    SSLEngine on
+    SSLProtocol <%= @ae_ssl_protocols%>
+    SSLCipherSuite "<%= @ae_ssl_ciphersuite%>"
+
+<% if @ae_use_certbot == true -%>
+    SSLCertificateFile  /etc/letsencrypt/live/<%= @ae_server_name %>/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/<%= @ae_server_name %>/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/<%= @ae_server_name %>/fullchain.pem
+<% else -%>
+    SSLCertificateFile <%= @ae_tls_cert_path %>/<%= @ae_ssl_vhost_cert %>
+    SSLCertificateKeyFile <%= @ae_tls_key_path %>/<%= @ae_ssl_vhost_key %>
+    SSLCertificateChainFile <%= @ae_tls_cert_path %>/<%= @ae_ssl_vhost_chain %>
+<% end -%>
+
+    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+    </Files>
+    <Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+    </Directory>
+
+   <Directory <%= @ae_doc_root -%>
+      AllowOverride none
+      Order Allow,Deny
+      Allow from <%= @ae_allow_from %>
+    </Directory>
+
+  <% end %>
+
+   SetEnvIf User-Agent ".*MSIE.*" \
+       nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+     CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>