From dddb9afc18a15d657a49a0715f6087e73848805d Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Fri, 20 Apr 2018 11:30:48 +0200 Subject: [PATCH] adds fw rules here to ensure fw is managed on apache lavel instead application level --- Jenkinsfile | 2 +- manifests/firewall/iptables.pp | 42 ++++++++++++++++++++++++++++++++++ manifests/params.pp | 10 ++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 manifests/firewall/iptables.pp diff --git a/Jenkinsfile b/Jenkinsfile index f40a842..b47b2b1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -211,7 +211,7 @@ Changelog of Git Changelog. sh '''git config user.name "Jenkins Server" git config user.email jenkins@confdroid.com echo `git add -A && git commit -am "recommit for updates in build $BUILD_NUMBER"` - git push origin HEAD:jenkins''' + git push origin HEAD:master''' } } } diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp new file mode 100644 index 0000000..d23bf41 --- /dev/null +++ b/manifests/firewall/iptables.pp @@ -0,0 +1,42 @@ +## cd_apache::firewall::iptables.pp +# Module name: cd_apache +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# License: +# This file is part of cd_apache. +# +# cd_apache is used for providing automatic configuration of +# log analyzer. +# Copyright (C) 2017 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary manage firewall settings through cd_firewall or puppetlabs-firewall +############################################################################### +class cd_apache::firewall::iptables ( + +) inherits cd_apache::params { + + if and $ae_manage_fw == true { + + firewall { "${ae_order_no}${ae_http_port} tcp http port ${ae_http_port}": + proto => ['tcp','udp'], + dport => $ae_http_port, + action => 'accept', + } + + firewall { "${ae_order_no}${ae_https_port} tcp http port ${ae_https_port}": + proto => ['tcp','udp'], + dport => $ae_https_port, + action => 'accept', + } + } +} diff --git a/manifests/params.pp b/manifests/params.pp index 4f38534..d8c2b31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -55,6 +55,10 @@ # should be allowed to share content through httpd. Usually this is a security # problem and as such should be disabled. # @param [boolean] ae_incl_target whether or not to allow nagios monitoring. +# @param [string] ae_order_no the order number for the firewall rules +# @param [string] ae_http_port the port to use for the http protocol +# @param [string] ae_https_port the port to use for the https protocol +########################################################################### ############################################################################## class cd_apache::params ( @@ -78,6 +82,12 @@ $ae_allow_user_dirs = false, $ae_incl_target = true, $ae_target_service = '/etc/nagios/conf.d/httpd_service.cfg', +# firewall +$ae_manage_fw = true, +$ae_order_no = '50', +$ae_http_port = '80', +$ae_https_port = '443', + ) { # installation section