OP#493 fix path for lb template

.gitignore

@@ -3,3 +3,4 @@ Gemfile.lock
 FileList
 .scannerwork
 .vscode
+.puppet-lint.rc

.vscode/settings.json

@@ -1,6 +0,0 @@
-{
-    "cSpell.words": [
-        "phpmyadmin",
-        "userdir"
-    ]
-}

Jenkinsfile

@@ -69,7 +69,7 @@ pipeline {
             withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
               sh '''
               /opt/sonar-scanner/bin/sonar-scanner \
-                -Dsonar.projectKey=cconfdroid_apache \
+                -Dsonar.projectKey=confdroid_apache \
                 -Dsonar.sources=. \
                 -Dsonar.host.url=https://sonarqube.confdroid.com \
                 -Dsonar.token=$SONAR_TOKEN
@@ -114,7 +114,7 @@ pipeline {
                   git rm -f Jenkinsfile
                   git rm -r --cached .vscode || echo "No .vscode to remove from git"
                   git commit --amend --no-edit --allow-empty
-                  git remote add master https://gitea.confdroid.com/confdroid/confdroid_apache.git
+                  git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_apache.git
                   git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
                   push master --mirror
                   '''

README.md

@@ -1,6 +1,8 @@
 # README
 
 [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache)](https://jenkins.confdroid.com/job/confdroid_apache/)
+[![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&metric=security_hotspots&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache)
+[![Quality gate](https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache)
 
 - [README](#readme)
   - [Synopsis](#synopsis)
@@ -16,7 +18,6 @@
   - [Contact Us](#contact-us)
   - [Disclaimer](#disclaimer)
 
-
 ## Synopsis
 
 `Apache httpd` is a very powerful and widely used web server.
@@ -25,47 +26,49 @@
 
 ## WARNING
 
-***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production***
+---Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production---
 
 ## Features
 
 Installation
 
-* install required binaries and dependencies
+- install required binaries and dependencies
 
 Configuration
 
-* manage directory structure (optional)
-* manage configuration files (optional):
-  * file system permissions
-  * selinux context
-* manage firewall settings (optional)
-* manage nagios monitoring (optional)
+- manage directory structure (optional)
+- manage configuration files (optional):
+  - file system permissions
+  - selinux context
+- manage firewall settings (optional)
+- manage nagios monitoring for the service (optional)
+
+Optional
+
+- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy`to the proper IP or range for the loadbalancer!
 
 Maintenance
 
-* manage the service
+- manage the service
 
 ### vHosts
 
 As stated in the synopsis, this module was written particularly for usage as base module. `Apache httpd` has a great number of use cases where it actually is not used directly as full-blown web server by itself, but instead as platform for other applications. Examples here would be:
 
-* front-end proxy for other applications to avoid having to put the port number into the URL
-* applications like phpMyAdmin, phpPgAdmin
-* WordPress
-* Nagios etc.
+- front-end proxy for other applications to avoid having to put the port number into the URL
+- applications like phpMyAdmin, phpPgAdmin
+- WordPress
+- Nagios etc.
 
 With those use cases, you would provide the vHosts at the Puppet module for the application, not the base module.  Also, if you plan to use this module to run a plain fully fledged web server, you would use a role- or profile class/module on top of `confdroid_apache` to set up your vHost exactly as needed. Examples for regular basic vHost configuration files are included in the examples directory as parameterized .erb files. You would create a define for vHosts, i.e. using the example parameters, and simply add `confdroid_apache` as requirement (i.e. require confdroid_apache) so it gets installed automatically.
 
 ### Dependencies
 
-All dependencies must be included in the catalogue.
-
-* [cd_resources](https://gitlab.confdroid.com/puppet/cd_resources) for managing yum repo resources.
+All listed dependencies must be included in the catalogue.
 
 ## Deployment
 
-* native Puppet deployment
+- native Puppet deployment
 
 via site.pp or nodes.pp
 
@@ -75,9 +78,9 @@ node 'example.example.net' {
 }
 ```
 
-* through Foreman:
+- through Foreman:
 
-In order to apply parameters through Foreman, **__confdroid_apache::params__** must be added to the host or host group in question.
+In order to apply parameters through Foreman, --__confdroid_apache::params__-- must be added to the host or host group in question.
 
 See [more details about class deployment on Confdroid.com](https://confdroid.com/2017/05/deploying-our-puppet-modules/).
 
@@ -91,16 +94,16 @@ All files and directories are configured with correct selinux context. If selinu
 
 ## Support
 
-* OS: Rocky 9
-* Puppet 8
+- OS: Rocky 9
+- Puppet 8
 
 ## Tests
 
-* Puppet Lint
-* Puppet Parser
-* ERB Template Parser
-* Test for unwanted UTF8 files in the Puppet code (see tests/UTF_Files)
-* Sonar Quality Gate
+- Puppet Lint
+- Puppet Parser
+- ERB Template Parser
+- Test for unwanted UTF8 files in the Puppet code (see tests/UTF_Files)
+- Sonar Quality Gate
 
 ## Contact Us
 

manifests/firewall/iptables.pp

@@ -11,7 +11,7 @@ class confdroid_apache::firewall::iptables (
       proto => 'tcp',
       dport => $ae_http_port,
       jump  => 'accept',
-  }
+    }
 
     firewall { "${ae_order_no}${ae_https_port} tcp http port ${ae_https_port}":
       proto => 'tcp',

manifests/monitoring/target.pp

@@ -6,22 +6,18 @@
 class confdroid_apache::monitoring::target (
 
 ) inherits confdroid_apache::params {
-  case $ae_incl_target {
-    false: { notify { 'Nagios Service target for check_httpd has been disabled via parameters / ENC override': }
-    }
-    default: {
-      @@nagios_service { "check_http_${fqdn}":
-        check_command       => 'check_http',
-        use                 => 'generic-service',
-        host_name           => $fqdn,
-        notification_period => '24x7',
-        service_description => "${fqdn}_check_http",
-        target              => $ae_target_service,
-        owner               => 'nagios',
-        group               => 'nagios',
-        mode                => '0640',
-        contacts            => 'ops',
-      }
+  if $ae_incl_target == true {
+    @@nagios_service { "check_http_${fqdn}":
+      check_command       => 'check_http',
+      use                 => 'generic-service',
+      host_name           => $fqdn,
+      notification_period => '24x7',
+      service_description => "${fqdn}_check_http",
+      target              => $ae_target_service,
+      owner               => 'nagios',
+      group               => 'nagios',
+      mode                => '0640',
+      contacts            => $ae_target_contacts,
     }
   }
 }

manifests/params.pp

@@ -5,25 +5,6 @@
 #   inherited by all classes except defines.
 # @param [String] pkg_ensure Specify which
 #   package type to use, i.e. `latest`, `present` or `absent`.
-# @param [Boolean] ae_manage_user  Whether or not to manage details for the
-#   httpd service user. This is generally only required when using httpd on
-#   a number of servers sharing storage resources, i.e. NFS, where UID and GID
-#   settings must be same across all nodes.
-# @param [String] ae_user_name Specify the user name for the httpd user.
-#   only active if ae_manage_user is set to true.
-# @param [String] ae_user_uid Specify the UID for the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_comment Specify the user comment for /etc/passwd.
-#   Shows up in email notifications as sender information.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_groups Specify any secondary groups the httpd service
-#   user should be in. Must not contain the primary group.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_home  Specify the home of the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_shell Specify the shell for the httpd service user,
-#   which normally should not be allowed to log in .
-#   only active if `ae_manage_user` is set to true.
 # @param [Boolean] ae_manage_cfg Whether or not to manage the httpd
 #   configuration. httpd is very often a sub system used by many other services,
 #   and the required configuration depends on the use case. If using httpd as
@@ -40,14 +21,24 @@
 # @param [String] ae_http_port the port to use for the http protocol
 # @param [String] ae_https_port the port to use for the https protocol
 # @param [String] ae_target_service which service to monitor with nagios
+# @param [String] ae_target_contacts which contacts to notify for nagios alerts
 # @param [Boolean] ae_manage_fw whether to manage firewall settings
 # @param [Array] reqpackages List of packages to install.
+# @param [Boolean] ae_use_lb whether to use load balancer or not. If true, 
+#   a configuration file will be created to allow reading the client ips 
+#   from the X-Forwarded-For header, and the httpd service will be restarted 
+#   to apply the changes. This is required when using httpd behind a 
+#   load balancer like haproxy, otherwise all client ips will be logged 
+#   as the load balancer ip.
+# @param [String] ae_trusted_proxy the IP address of the trusted proxy, 
+#   i.e. the load balancer. This is required when `ae_use_lb` is set to 
+#   true, and defaults to '10.0.1.0/24'.
 ###########################################################################
 class confdroid_apache::params (
 
 # installation
-  String $pkg_ensure         = 'present',
-  Array $reqpackages        = ['httpd','mod_ssl'],
+  String $pkg_ensure          = 'present',
+  Array $reqpackages          = ['httpd','mod_ssl'],
 
 # configuration files
   Boolean $ae_manage_cfg      = false,
@@ -55,14 +46,19 @@ class confdroid_apache::params (
   Boolean $ae_allow_user_dirs = false,
 
 # nagios
-  Boolean $ae_incl_target     = false,
-  String $ae_target_service  = '/etc/nagios/conf.d/httpd_service.cfg',
+  Boolean $ae_incl_target     = true,
+  String $ae_target_service   = '/etc/nagios/conf.d/httpd_service.cfg',
+  String $ae_target_contacts  = 'nagiosadmin',
 
 # firewall
-  Boolean $ae_manage_fw       = false,
-  String $ae_order_no        = '50',
-  String $ae_http_port       = '80',
-  String $ae_https_port      = '443',
+  Boolean $ae_manage_fw       = true,
+  String $ae_order_no         = '50',
+  String $ae_http_port        = '80',
+  String $ae_https_port       = '443',
+
+# loadbalancer
+  Boolean $ae_use_lb          = false,
+  String $ae_trusted_proxy    = '10.0.1.0/24',
 
 ) {
 # facts
@@ -102,6 +98,8 @@ class confdroid_apache::params (
   $ae_userdir_erb     = 'confdroid_apache/userdir_conf.erb'
   $ae_index_file      = '/var/www/html/index.html'
   $ae_index_erb       = 'confdroid_apache/index_html.erb'
+  $ae_remoteip_file   = '/etc/httpd/conf.d/loadbalancer-remoteip.conf'
+  $ae_remoteip_erb    = 'confdroid_apache/loadbalancer/remoteip.conf.erb'
 
 # includes must be last
   include confdroid_apache::main::config

manifests/server/files.pp

@@ -92,6 +92,21 @@ class confdroid_apache::server::files (
     }
   }
 
+  if $ae_use_lb == true {
+    file { $ae_remoteip_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => httpd_conf_t,
+      seluser  => system_u,
+      content  => template($ae_remoteip_erb),
+      notify   => Service['httpd'],
+    }
+  }
+
   # manage index.html
 
   file { $ae_index_file:

templates/loadbalancer/remoteip.conf.erb

@@ -0,0 +1,12 @@
+###############################################################################
+##########    parameterized remoteip config created by Puppet        ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy <%= @ae_trusted_proxy %>
+RemoteIPInternalProxy <%= @ae_trusted_proxy %>
+
+# mod_remoteip rewrites client address for %a; use it in common/combined logs.
+LogFormat "%a %l %u %t \"%r\" %>s %b" common
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined