Merge remote-tracking branch 'origin/master' into jenkins-build-53

Jenkinsfile

@@ -1,126 +0,0 @@
-pipeline {
-    agent {
-      label 'puppet'
-    }
-
-    post {
-        always {
-            deleteDir() /* clean up our workspace */
-        }
-        success {
-            updateGitlabCommitStatus state: 'success'
-        }
-        failure {
-            updateGitlabCommitStatus state: 'failed'
-            step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true])
-        }
-    }
-
-    options {
-          gitLabConnection('gitlab.confdroid.com')
-    }
-
-    stages {
-
-      stage('pull master') {
-        steps {
-          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''
-                git config user.name "Jenkins Server"
-                git config user.email jenkins@confdroid.com
-                # Ensure we're on the development branch (triggered by push)
-                git checkout development
-                # Create jenkins branch from development
-                git checkout -b jenkins-build-$BUILD_NUMBER
-                # Optionally merge master into jenkins to ensure compatibility
-                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
-            '''
-        }
-      }
-    }
-
-      stage('puppet parser') {
-        steps {
-          sh '''for file in $(find . -iname \'*.pp\'); do
-            /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1;
-            done;'''
-          }
-        }
-
-      stage('check templates') {
-        steps{
-          sh '''for file in $(find . -iname \'*.erb\');
-            do erb -P -x -T "-" $file | ruby -c || exit 1;
-            done;'''
-        }
-      }
-
-      stage('puppet-lint') {
-        steps {
-          sh '''/usr/local/bin/puppet-lint . \\
-                --no-variable_scope-check \\
-                || { echo "Puppet lint failed"; exit 1; }
-            '''
-          }
-        }
-
-      stage('SonarScan') {
-         steps {
-            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
-              sh '''
-              /opt/sonar-scanner/bin/sonar-scanner \
-                -Dsonar.projectKey=confdroid_apache \
-                -Dsonar.sources=. \
-                -Dsonar.host.url=https://sonarqube.confdroid.com \
-                -Dsonar.token=$SONAR_TOKEN
-                '''
-              }
-            }
-          }
-
-      stage('create Puppet documentation') {
-        steps {
-          sh '/opt/puppetlabs/bin/puppet strings'
-        }
-      }
-
-      stage('update repo') {
-        steps {
-          sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''
-                git config user.name "Jenkins Server"
-                git config user.email jenkins@confdroid.com
-                git rm -r --cached .vscode || echo "No .vscode to remove from git"
-                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
-                git push origin HEAD:master
-            '''
-        }
-      }
-    }
-
-      stage('Mirror to Gitea') {
-        steps {
-          withCredentials([usernamePassword(
-            credentialsId: 'Jenkins-gitea',
-            usernameVariable: 'GITEA_USER',
-            passwordVariable: 'GITEA_TOKEN')]) {
-            script {
-              // Checkout from GitLab (already done implicitly)
-                sh '''
-                  git checkout master
-                  git pull origin master
-                  git branch -D development
-                  git branch -D jenkins-build-$BUILD_NUMBER
-                  git rm -f Jenkinsfile
-                  git rm -r --cached .vscode || echo "No .vscode to remove from git"
-                  git commit --amend --no-edit --allow-empty
-                  git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_apache.git
-                  git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
-                  push master --mirror
-                  '''
-          }
-        }
-      }
-    }
-  }
-}

README.md

@@ -45,7 +45,7 @@ Configuration
 
 Optional
 
-- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy`to the proper IP or range for the loadbalancer!
+- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy` and `ae_internal_proxy` to the proper IP or range for the loadbalancer!
 
 Maintenance
 

doc/file.README.html

@@ -60,7 +60,7 @@
       <div id="content"><div id='filecontents'>
 <h1 id="label-README">README</h1>
 
-<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a></p>
+<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://deepwiki.com/grizzlycoda/puppet_collection"><img src="https://deepwiki.com/badge.svg"></a></p>
 <ul><li>
 <p><a href="#readme">README</a></p>
 </li><li>
@@ -124,7 +124,7 @@
 
 <p>Optional</p>
 <ul><li>
-<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code>to the proper IP or range for the loadbalancer!</p>
+<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code> and <code>ae_internal_proxy</code> to the proper IP or range for the loadbalancer!</p>
 </li></ul>
 
 <p>Maintenance</p>

doc/index.html

@@ -60,7 +60,7 @@
       <div id="content"><div id='filecontents'>
 <h1 id="label-README">README</h1>
 
-<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a></p>
+<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://deepwiki.com/grizzlycoda/puppet_collection"><img src="https://deepwiki.com/badge.svg"></a></p>
 <ul><li>
 <p><a href="#readme">README</a></p>
 </li><li>
@@ -124,7 +124,7 @@
 
 <p>Optional</p>
 <ul><li>
-<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code>to the proper IP or range for the loadbalancer!</p>
+<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code> and <code>ae_internal_proxy</code> to the proper IP or range for the loadbalancer!</p>
 </li></ul>
 
 <p>Maintenance</p>

doc/puppet_classes/confdroid_apache_3A_3Aparams.html

@@ -350,15 +350,51 @@ inherited by all classes except defines.
         <span class='name'>ae_trusted_proxy</span>
       
       
-        <span class='type'>(<tt>String</tt>)</span>
+        <span class='type'>(<tt>Array</tt>)</span>
       
       
-        <em class="default">(defaults to: <tt>&#39;10.0.1.0/24&#39;</tt>)</em>
+        <em class="default">(defaults to: <tt>[&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;]</tt>)</em>
       
       
         &mdash;
         <div class='inline'>
-<p>the IP address of the trusted proxy, i.e. the load balancer. This is required when <code>ae_use_lb</code> is set to true, and defaults to ‘10.0.1.0/24’.</p>
+<p>the IP addresses of the trusted proxies, i.e. the load balancers. This is required when <code>ae_use_lb</code> is set to true, and defaults to [‘127.0.0.1’,‘10.0.1.0/24’].</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ae_internal_proxy</span>
+      
+      
+        <span class='type'>(<tt>Array</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>[&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;]</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>the IP addresses of the internal proxies, i.e. the internal load balancers. This is required when <code>ae_use_lb</code> is set to true, and defaults to [‘127.0.0.1’].</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ae_remoteip_header</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;X-Forwarded-For&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>the header to use for the remote ip, typically <code>X-Forwarded-For</code>. This is required when <code>ae_use_lb</code> is set to true, and defaults to <code>X-Forwarded-For</code>.</p>
 </div>
       
     </li>
@@ -374,12 +410,6 @@ inherited by all classes except defines.
         <pre class="lines">
 
 
-37
-38
-39
-40
-41
-42
 43
 44
 45
@@ -443,10 +473,18 @@ inherited by all classes except defines.
 103
 104
 105
-106</pre>
+106
+107
+108
+109
+110
+111
+112
+113
+114</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 37</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 43</span>
 
 class confdroid_apache::params (
 
@@ -472,7 +510,9 @@ class confdroid_apache::params (
 
 # loadbalancer
   Boolean $ae_use_lb          = false,
-  String $ae_trusted_proxy    = &#39;10.0.1.0/24&#39;,
+  Array $ae_trusted_proxy     = [&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;],
+  Array $ae_internal_proxy    = [&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;],
+  String $ae_remoteip_header  = &#39;X-Forwarded-For&#39;,
 
 ) {
 # facts

manifests/params.pp

@@ -30,9 +30,15 @@
 #   to apply the changes. This is required when using httpd behind a 
 #   load balancer like haproxy, otherwise all client ips will be logged 
 #   as the load balancer ip.
-# @param [String] ae_trusted_proxy the IP address of the trusted proxy, 
-#   i.e. the load balancer. This is required when `ae_use_lb` is set to 
-#   true, and defaults to '10.0.1.0/24'.
+# @param [Array] ae_trusted_proxy the IP addresses of the trusted proxies, 
+#   i.e. the load balancers. This is required when `ae_use_lb` is set to 
+#   true, and defaults to ['127.0.0.1','10.0.1.0/24'].
+# @param [Array] ae_internal_proxy the IP addresses of the internal proxies, 
+#   i.e. the internal load balancers. This is required when `ae_use_lb` is set to 
+#   true, and defaults to ['127.0.0.1'].
+# @param [String] ae_remoteip_header the header to use for the remote ip,
+#   typically `X-Forwarded-For`. This is required when `ae_use_lb` is set 
+#   to true, and defaults to `X-Forwarded-For`.
 ###########################################################################
 class confdroid_apache::params (
 
@@ -58,7 +64,9 @@ class confdroid_apache::params (
 
 # loadbalancer
   Boolean $ae_use_lb          = false,
-  String $ae_trusted_proxy    = '10.0.1.0/24',
+  Array $ae_trusted_proxy     = ['127.0.0.1','10.0.1.0/24'],
+  Array $ae_internal_proxy    = ['127.0.0.1','10.0.1.0/24'],
+  String $ae_remoteip_header  = 'X-Forwarded-For',
 
 ) {
 # facts

templates/loadbalancer/remoteip.conf.erb

@@ -3,10 +3,18 @@
 ##########      manual changes will be overwritten !!!               ##########
 ###############################################################################
 
-RemoteIPHeader X-Forwarded-For
-RemoteIPTrustedProxy <%= @ae_trusted_proxy %>
-RemoteIPInternalProxy <%= @ae_trusted_proxy %>
+<IfModule remoteip_module>
+    RemoteIPHeader <%= @ae_remoteip_header -%>
+    <% @ae_trusted_proxy.each do |proxy| %>
+    RemoteIPTrustedProxy <%= proxy -%>
+    <% end -%>
+    <% @ae_internal_proxy.each do |proxy| %>
+    RemoteIPInternalProxy <%= proxy -%>
+    <% end -%>
+
+
+    # Use real client IP in all standard log formats
+    LogFormat "%a %l %u %t \"%r\" %>s %b" common
+    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
+</IfModule>
 
-# mod_remoteip rewrites client address for %a; use it in common/combined logs.
-LogFormat "%a %l %u %t \"%r\" %>s %b" common
-LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined