Merge remote-tracking branch 'origin/master' into jenkins-build-53

README.md

@@ -2,7 +2,7 @@
 
 [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache)](https://jenkins.confdroid.com/job/confdroid_apache/)
 [![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&metric=security_hotspots&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache)
-[![Quality gate](https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/grizzlycoda/puppet_collection)
 
 - [README](#readme)
   - [Synopsis](#synopsis)
@@ -43,6 +43,10 @@ Configuration
 - manage firewall settings (optional)
 - manage nagios monitoring for the service (optional)
 
+Optional
+
+- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy` and `ae_internal_proxy` to the proper IP or range for the loadbalancer!
+
 Maintenance
 
 - manage the service

doc/file.README.html

@@ -60,7 +60,7 @@
       <div id="content"><div id='filecontents'>
 <h1 id="label-README">README</h1>
 
-<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a></p>
+<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://deepwiki.com/grizzlycoda/puppet_collection"><img src="https://deepwiki.com/badge.svg"></a></p>
 <ul><li>
 <p><a href="#readme">README</a></p>
 </li><li>
@@ -122,6 +122,11 @@
 <p>manage nagios monitoring for the service (optional)</p>
 </li></ul>
 
+<p>Optional</p>
+<ul><li>
+<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code> and <code>ae_internal_proxy</code> to the proper IP or range for the loadbalancer!</p>
+</li></ul>
+
 <p>Maintenance</p>
 <ul><li>
 <p>manage the service</p>

doc/index.html

@@ -60,7 +60,7 @@
       <div id="content"><div id='filecontents'>
 <h1 id="label-README">README</h1>
 
-<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a></p>
+<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://deepwiki.com/grizzlycoda/puppet_collection"><img src="https://deepwiki.com/badge.svg"></a></p>
 <ul><li>
 <p><a href="#readme">README</a></p>
 </li><li>
@@ -122,6 +122,11 @@
 <p>manage nagios monitoring for the service (optional)</p>
 </li></ul>
 
+<p>Optional</p>
+<ul><li>
+<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code> and <code>ae_internal_proxy</code> to the proper IP or range for the loadbalancer!</p>
+</li></ul>
+
 <p>Maintenance</p>
 <ul><li>
 <p>manage the service</p>

doc/puppet_classes/confdroid_apache_3A_3Aparams.html

@@ -129,118 +129,6 @@ inherited by all classes except defines.
       
     </li>
   
-    <li>
-      
-        <span class='name'>ae_manage_user</span>
-      
-      
-        <span class='type'>(<tt>Boolean</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Whether or not to manage details for the httpd service user. This is generally only required when using httpd on a number of servers sharing storage resources, i.e. NFS, where UID and GID settings must be same across all nodes.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ae_user_name</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Specify the user name for the httpd user. only active if ae_manage_user is set to true.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ae_user_uid</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Specify the UID for the httpd service user. only active if <code>ae_manage_user</code> is set to true.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ae_u_comment</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Specify the user comment for /etc/passwd. Shows up in email notifications as sender information. only active if <code>ae_manage_user</code> is set to true.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ae_u_groups</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Specify any secondary groups the httpd service user should be in. Must not contain the primary group. only active if <code>ae_manage_user</code> is set to true.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ae_user_home</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Specify the home of the httpd service user. only active if <code>ae_manage_user</code> is set to true.</p>
-</div>
-      
-    </li>
-  
-    <li>
-      
-        <span class='name'>ae_user_shell</span>
-      
-      
-        <span class='type'>(<tt>String</tt>)</span>
-      
-      
-      
-        &mdash;
-        <div class='inline'>
-<p>Specify the shell for the httpd service user, which normally should not be allowed to log in . only active if <code>ae_manage_user</code> is set to true.</p>
-</div>
-      
-    </li>
-  
     <li>
       
         <span class='name'>ae_manage_cfg</span>
@@ -435,6 +323,78 @@ inherited by all classes except defines.
         &mdash;
         <div class='inline'>
 <p>List of packages to install.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ae_use_lb</span>
+      
+      
+        <span class='type'>(<tt>Boolean</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>false</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>whether to use load balancer or not. If true, a configuration file will be created to allow reading the client ips from the X-Forwarded-For header, and the httpd service will be restarted to apply the changes. This is required when using httpd behind a load balancer like haproxy, otherwise all client ips will be logged as the load balancer ip.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ae_trusted_proxy</span>
+      
+      
+        <span class='type'>(<tt>Array</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>[&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;]</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>the IP addresses of the trusted proxies, i.e. the load balancers. This is required when <code>ae_use_lb</code> is set to true, and defaults to [‘127.0.0.1’,‘10.0.1.0/24’].</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ae_internal_proxy</span>
+      
+      
+        <span class='type'>(<tt>Array</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>[&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;]</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>the IP addresses of the internal proxies, i.e. the internal load balancers. This is required when <code>ae_use_lb</code> is set to true, and defaults to [‘127.0.0.1’].</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ae_remoteip_header</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;X-Forwarded-For&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>the header to use for the remote ip, typically <code>X-Forwarded-For</code>. This is required when <code>ae_use_lb</code> is set to true, and defaults to <code>X-Forwarded-For</code>.</p>
 </div>
       
     </li>
@@ -450,6 +410,10 @@ inherited by all classes except defines.
         <pre class="lines">
 
 
+43
+44
+45
+46
 47
 48
 49
@@ -513,10 +477,14 @@ inherited by all classes except defines.
 107
 108
 109
-110</pre>
+110
+111
+112
+113
+114</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 47</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 43</span>
 
 class confdroid_apache::params (
 
@@ -540,6 +508,12 @@ class confdroid_apache::params (
   String $ae_http_port        = &#39;80&#39;,
   String $ae_https_port       = &#39;443&#39;,
 
+# loadbalancer
+  Boolean $ae_use_lb          = false,
+  Array $ae_trusted_proxy     = [&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;],
+  Array $ae_internal_proxy    = [&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;],
+  String $ae_remoteip_header  = &#39;X-Forwarded-For&#39;,
+
 ) {
 # facts
   $fqdn                             = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
@@ -578,6 +552,8 @@ class confdroid_apache::params (
   $ae_userdir_erb     = &#39;confdroid_apache/userdir_conf.erb&#39;
   $ae_index_file      = &#39;/var/www/html/index.html&#39;
   $ae_index_erb       = &#39;confdroid_apache/index_html.erb&#39;
+  $ae_remoteip_file   = &#39;/etc/httpd/conf.d/loadbalancer-remoteip.conf&#39;
+  $ae_remoteip_erb    = &#39;confdroid_apache/loadbalancer/remoteip.conf.erb&#39;
 
 # includes must be last
   include confdroid_apache::main::config

doc/puppet_classes/confdroid_apache_3A_3Aserver_3A_3Afiles.html

@@ -205,7 +205,22 @@
 107
 108
 109
-110</pre>
+110
+111
+112
+113
+114
+115
+116
+117
+118
+119
+120
+121
+122
+123
+124
+125</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/server/files.pp', line 6</span>
@@ -299,6 +314,21 @@ class confdroid_apache::server::files (
     }
   }
 
+  if $ae_use_lb == true {
+    file { $ae_remoteip_file:
+      ensure   =&gt; file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; httpd_conf_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($ae_remoteip_erb),
+      notify   =&gt; Service[&#39;httpd&#39;],
+    }
+  }
+
   # manage index.html
 
   file { $ae_index_file:

manifests/params.pp

@@ -5,25 +5,6 @@
 #   inherited by all classes except defines.
 # @param [String] pkg_ensure Specify which
 #   package type to use, i.e. `latest`, `present` or `absent`.
-# @param [Boolean] ae_manage_user  Whether or not to manage details for the
-#   httpd service user. This is generally only required when using httpd on
-#   a number of servers sharing storage resources, i.e. NFS, where UID and GID
-#   settings must be same across all nodes.
-# @param [String] ae_user_name Specify the user name for the httpd user.
-#   only active if ae_manage_user is set to true.
-# @param [String] ae_user_uid Specify the UID for the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_comment Specify the user comment for /etc/passwd.
-#   Shows up in email notifications as sender information.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_groups Specify any secondary groups the httpd service
-#   user should be in. Must not contain the primary group.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_home  Specify the home of the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_shell Specify the shell for the httpd service user,
-#   which normally should not be allowed to log in .
-#   only active if `ae_manage_user` is set to true.
 # @param [Boolean] ae_manage_cfg Whether or not to manage the httpd
 #   configuration. httpd is very often a sub system used by many other services,
 #   and the required configuration depends on the use case. If using httpd as
@@ -43,6 +24,21 @@
 # @param [String] ae_target_contacts which contacts to notify for nagios alerts
 # @param [Boolean] ae_manage_fw whether to manage firewall settings
 # @param [Array] reqpackages List of packages to install.
+# @param [Boolean] ae_use_lb whether to use load balancer or not. If true, 
+#   a configuration file will be created to allow reading the client ips 
+#   from the X-Forwarded-For header, and the httpd service will be restarted 
+#   to apply the changes. This is required when using httpd behind a 
+#   load balancer like haproxy, otherwise all client ips will be logged 
+#   as the load balancer ip.
+# @param [Array] ae_trusted_proxy the IP addresses of the trusted proxies, 
+#   i.e. the load balancers. This is required when `ae_use_lb` is set to 
+#   true, and defaults to ['127.0.0.1','10.0.1.0/24'].
+# @param [Array] ae_internal_proxy the IP addresses of the internal proxies, 
+#   i.e. the internal load balancers. This is required when `ae_use_lb` is set to 
+#   true, and defaults to ['127.0.0.1'].
+# @param [String] ae_remoteip_header the header to use for the remote ip,
+#   typically `X-Forwarded-For`. This is required when `ae_use_lb` is set 
+#   to true, and defaults to `X-Forwarded-For`.
 ###########################################################################
 class confdroid_apache::params (
 
@@ -66,6 +62,12 @@ class confdroid_apache::params (
   String $ae_http_port        = '80',
   String $ae_https_port       = '443',
 
+# loadbalancer
+  Boolean $ae_use_lb          = false,
+  Array $ae_trusted_proxy     = ['127.0.0.1','10.0.1.0/24'],
+  Array $ae_internal_proxy    = ['127.0.0.1','10.0.1.0/24'],
+  String $ae_remoteip_header  = 'X-Forwarded-For',
+
 ) {
 # facts
   $fqdn                             = $facts['networking']['fqdn']
@@ -104,6 +106,8 @@ class confdroid_apache::params (
   $ae_userdir_erb     = 'confdroid_apache/userdir_conf.erb'
   $ae_index_file      = '/var/www/html/index.html'
   $ae_index_erb       = 'confdroid_apache/index_html.erb'
+  $ae_remoteip_file   = '/etc/httpd/conf.d/loadbalancer-remoteip.conf'
+  $ae_remoteip_erb    = 'confdroid_apache/loadbalancer/remoteip.conf.erb'
 
 # includes must be last
   include confdroid_apache::main::config

manifests/server/files.pp

@@ -92,6 +92,21 @@ class confdroid_apache::server::files (
     }
   }
 
+  if $ae_use_lb == true {
+    file { $ae_remoteip_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => httpd_conf_t,
+      seluser  => system_u,
+      content  => template($ae_remoteip_erb),
+      notify   => Service['httpd'],
+    }
+  }
+
   # manage index.html
 
   file { $ae_index_file:

templates/loadbalancer/remoteip.conf.erb

@@ -0,0 +1,20 @@
+###############################################################################
+##########    parameterized remoteip config created by Puppet        ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+<IfModule remoteip_module>
+    RemoteIPHeader <%= @ae_remoteip_header -%>
+    <% @ae_trusted_proxy.each do |proxy| %>
+    RemoteIPTrustedProxy <%= proxy -%>
+    <% end -%>
+    <% @ae_internal_proxy.each do |proxy| %>
+    RemoteIPInternalProxy <%= proxy -%>
+    <% end -%>
+
+
+    # Use real client IP in all standard log formats
+    LogFormat "%a %l %u %t \"%r\" %>s %b" common
+    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
+</IfModule>
+