OP#493 fix path for lb template

README.md

@@ -41,7 +41,11 @@ Configuration
   - file system permissions
   - selinux context
 - manage firewall settings (optional)
-- manage nagios monitoring (optional)
+- manage nagios monitoring for the service (optional)
+
+Optional
+
+- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy`to the proper IP or range for the loadbalancer!
 
 Maintenance
 

manifests/monitoring/target.pp

@@ -17,7 +17,7 @@ class confdroid_apache::monitoring::target (
       owner               => 'nagios',
       group               => 'nagios',
       mode                => '0640',
-      contacts            => 'ops',
+      contacts            => $ae_target_contacts,
     }
   }
 }

manifests/params.pp

@@ -5,25 +5,6 @@
 #   inherited by all classes except defines.
 # @param [String] pkg_ensure Specify which
 #   package type to use, i.e. `latest`, `present` or `absent`.
-# @param [Boolean] ae_manage_user  Whether or not to manage details for the
-#   httpd service user. This is generally only required when using httpd on
-#   a number of servers sharing storage resources, i.e. NFS, where UID and GID
-#   settings must be same across all nodes.
-# @param [String] ae_user_name Specify the user name for the httpd user.
-#   only active if ae_manage_user is set to true.
-# @param [String] ae_user_uid Specify the UID for the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_comment Specify the user comment for /etc/passwd.
-#   Shows up in email notifications as sender information.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_groups Specify any secondary groups the httpd service
-#   user should be in. Must not contain the primary group.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_home  Specify the home of the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_shell Specify the shell for the httpd service user,
-#   which normally should not be allowed to log in .
-#   only active if `ae_manage_user` is set to true.
 # @param [Boolean] ae_manage_cfg Whether or not to manage the httpd
 #   configuration. httpd is very often a sub system used by many other services,
 #   and the required configuration depends on the use case. If using httpd as
@@ -40,14 +21,24 @@
 # @param [String] ae_http_port the port to use for the http protocol
 # @param [String] ae_https_port the port to use for the https protocol
 # @param [String] ae_target_service which service to monitor with nagios
+# @param [String] ae_target_contacts which contacts to notify for nagios alerts
 # @param [Boolean] ae_manage_fw whether to manage firewall settings
 # @param [Array] reqpackages List of packages to install.
+# @param [Boolean] ae_use_lb whether to use load balancer or not. If true, 
+#   a configuration file will be created to allow reading the client ips 
+#   from the X-Forwarded-For header, and the httpd service will be restarted 
+#   to apply the changes. This is required when using httpd behind a 
+#   load balancer like haproxy, otherwise all client ips will be logged 
+#   as the load balancer ip.
+# @param [String] ae_trusted_proxy the IP address of the trusted proxy, 
+#   i.e. the load balancer. This is required when `ae_use_lb` is set to 
+#   true, and defaults to '10.0.1.0/24'.
 ###########################################################################
 class confdroid_apache::params (
 
 # installation
-  String $pkg_ensure         = 'present',
+  String $pkg_ensure          = 'present',
-  Array $reqpackages        = ['httpd','mod_ssl'],
+  Array $reqpackages          = ['httpd','mod_ssl'],
 
 # configuration files
   Boolean $ae_manage_cfg      = false,
@@ -55,14 +46,19 @@ class confdroid_apache::params (
   Boolean $ae_allow_user_dirs = false,
 
 # nagios
-  Boolean $ae_incl_target     = false,
+  Boolean $ae_incl_target     = true,
-  String $ae_target_service  = '/etc/nagios/conf.d/httpd_service.cfg',
+  String $ae_target_service   = '/etc/nagios/conf.d/httpd_service.cfg',
+  String $ae_target_contacts  = 'nagiosadmin',
 
 # firewall
   Boolean $ae_manage_fw       = true,
-  String $ae_order_no        = '50',
+  String $ae_order_no         = '50',
-  String $ae_http_port       = '80',
+  String $ae_http_port        = '80',
-  String $ae_https_port      = '443',
+  String $ae_https_port       = '443',
+
+# loadbalancer
+  Boolean $ae_use_lb          = false,
+  String $ae_trusted_proxy    = '10.0.1.0/24',
 
 ) {
 # facts
@@ -102,6 +98,8 @@ class confdroid_apache::params (
   $ae_userdir_erb     = 'confdroid_apache/userdir_conf.erb'
   $ae_index_file      = '/var/www/html/index.html'
   $ae_index_erb       = 'confdroid_apache/index_html.erb'
+  $ae_remoteip_file   = '/etc/httpd/conf.d/loadbalancer-remoteip.conf'
+  $ae_remoteip_erb    = 'confdroid_apache/loadbalancer/remoteip.conf.erb'
 
 # includes must be last
   include confdroid_apache::main::config

manifests/server/files.pp

@@ -92,6 +92,21 @@ class confdroid_apache::server::files (
     }
   }
 
+  if $ae_use_lb == true {
+    file { $ae_remoteip_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => httpd_conf_t,
+      seluser  => system_u,
+      content  => template($ae_remoteip_erb),
+      notify   => Service['httpd'],
+    }
+  }
+
   # manage index.html
 
   file { $ae_index_file:

templates/loadbalancer/remoteip.conf.erb

@@ -0,0 +1,12 @@
+###############################################################################
+##########    parameterized remoteip config created by Puppet        ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy <%= @ae_trusted_proxy %>
+RemoteIPInternalProxy <%= @ae_trusted_proxy %>
+
+# mod_remoteip rewrites client address for %a; use it in common/combined logs.
+LogFormat "%a %l %u %t \"%r\" %>s %b" common
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined