confdroid/confdroid_apache
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: confdroid:master
Branches Tags
confdroid:master
confdroid:1.1.0-3.2026 confdroid:1.0.0
..
compare: confdroid:8b2ebce7792b726fc72b68e383842a7a07a22f23
Branches Tags
confdroid:master
confdroid:1.1.0-3.2026 confdroid:1.0.0

1 Commits
master ... 8b2ebce779

Author SHA1 Message Date
Jenkins Server
8b2ebce779 Merge remote-tracking branch 'origin/master' into jenkins-build-38 2026-03-14 11:43:56 +01:00
8 changed files with 137 additions and 196 deletions
Expand all files Collapse all files

6
README.md
View File

@@ -2,7 +2,7 @@
[![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache)](https://jenkins.confdroid.com/job/confdroid_apache/) [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache)](https://jenkins.confdroid.com/job/confdroid_apache/)
[![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&metric=security_hotspots&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache) [![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&metric=security_hotspots&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache)
[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/grizzlycoda/puppet_collection) [![Quality gate](https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654)](https://sonarqube.confdroid.com/dashboard?id=confdroid_apache)
- [README](#readme) - [README](#readme)
- [Synopsis](#synopsis) - [Synopsis](#synopsis)
@@ -43,10 +43,6 @@ Configuration
- manage firewall settings (optional) - manage firewall settings (optional)
- manage nagios monitoring for the service (optional) - manage nagios monitoring for the service (optional)
Optional
- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy` and `ae_internal_proxy` to the proper IP or range for the loadbalancer!
Maintenance Maintenance
- manage the service - manage the service

7
doc/file.README.html
View File

@@ -60,7 +60,7 @@
<div id="content"><div id='filecontents'> <div id="content"><div id='filecontents'>
<h1 id="label-README">README</h1> <h1 id="label-README">README</h1>
<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://deepwiki.com/grizzlycoda/puppet_collection"><img src="https://deepwiki.com/badge.svg"></a></p> <p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a></p>
<ul><li> <ul><li>
<p><a href="#readme">README</a></p> <p><a href="#readme">README</a></p>
</li><li> </li><li>
@@ -122,11 +122,6 @@
<p>manage nagios monitoring for the service (optional)</p> <p>manage nagios monitoring for the service (optional)</p>
</li></ul> </li></ul>
<p>Optional</p>
<ul><li>
<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code> and <code>ae_internal_proxy</code> to the proper IP or range for the loadbalancer!</p>
</li></ul>
<p>Maintenance</p> <p>Maintenance</p>
<ul><li> <ul><li>
<p>manage the service</p> <p>manage the service</p>

7
doc/index.html
View File

@@ -60,7 +60,7 @@
<div id="content"><div id='filecontents'> <div id="content"><div id='filecontents'>
<h1 id="label-README">README</h1> <h1 id="label-README">README</h1>
<p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://deepwiki.com/grizzlycoda/puppet_collection"><img src="https://deepwiki.com/badge.svg"></a></p> <p><a href="https://jenkins.confdroid.com/job/confdroid_apache/"><img src="https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_apache"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_apache&amp;metric=security_hotspots&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a> <a href="https://sonarqube.confdroid.com/dashboard?id=confdroid_apache"><img src="https://sonarqube.confdroid.com/api/project_badges/quality_gate?project=confdroid_apache&amp;token=sqb_783a19acf8d97e87e5c570981a8e9019d40c4654"></a></p>
<ul><li> <ul><li>
<p><a href="#readme">README</a></p> <p><a href="#readme">README</a></p>
</li><li> </li><li>
@@ -122,11 +122,6 @@
<p>manage nagios monitoring for the service (optional)</p> <p>manage nagios monitoring for the service (optional)</p>
</li></ul> </li></ul>
<p>Optional</p>
<ul><li>
<p>manage remoteIP logging if running behind a Loadbalancer like HAproxy: if <code>ae_use_lb</code> is set to <code>true</code>, a configuration file <code>etc/httpd/conf.d/loadbalancer-remoteip.conf</code>is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set <code>ae_trusted_proxy</code> and <code>ae_internal_proxy</code> to the proper IP or range for the loadbalancer!</p>
</li></ul>
<p>Maintenance</p> <p>Maintenance</p>
<ul><li> <ul><li>
<p>manage the service</p> <p>manage the service</p>

204
doc/puppet_classes/confdroid_apache_3A_3Aparams.html
View File

@@ -129,6 +129,118 @@ inherited by all classes except defines.
</li> </li>
<li>
<span class='name'>ae_manage_user</span>
<span class='type'>(<tt>Boolean</tt>)</span>
&mdash;
<div class='inline'>
<p>Whether or not to manage details for the httpd service user. This is generally only required when using httpd on a number of servers sharing storage resources, i.e. NFS, where UID and GID settings must be same across all nodes.</p>
</div>
</li>
<li>
<span class='name'>ae_user_name</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Specify the user name for the httpd user. only active if ae_manage_user is set to true.</p>
</div>
</li>
<li>
<span class='name'>ae_user_uid</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Specify the UID for the httpd service user. only active if <code>ae_manage_user</code> is set to true.</p>
</div>
</li>
<li>
<span class='name'>ae_u_comment</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Specify the user comment for /etc/passwd. Shows up in email notifications as sender information. only active if <code>ae_manage_user</code> is set to true.</p>
</div>
</li>
<li>
<span class='name'>ae_u_groups</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Specify any secondary groups the httpd service user should be in. Must not contain the primary group. only active if <code>ae_manage_user</code> is set to true.</p>
</div>
</li>
<li>
<span class='name'>ae_user_home</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Specify the home of the httpd service user. only active if <code>ae_manage_user</code> is set to true.</p>
</div>
</li>
<li>
<span class='name'>ae_user_shell</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Specify the shell for the httpd service user, which normally should not be allowed to log in . only active if <code>ae_manage_user</code> is set to true.</p>
</div>
</li>
<li> <li>
<span class='name'>ae_manage_cfg</span> <span class='name'>ae_manage_cfg</span>
@@ -323,78 +435,6 @@ inherited by all classes except defines.
&mdash; &mdash;
<div class='inline'> <div class='inline'>
<p>List of packages to install.</p> <p>List of packages to install.</p>
</div>
</li>
<li>
<span class='name'>ae_use_lb</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use load balancer or not. If true, a configuration file will be created to allow reading the client ips from the X-Forwarded-For header, and the httpd service will be restarted to apply the changes. This is required when using httpd behind a load balancer like haproxy, otherwise all client ips will be logged as the load balancer ip.</p>
</div>
</li>
<li>
<span class='name'>ae_trusted_proxy</span>
<span class='type'>(<tt>Array</tt>)</span>
<em class="default">(defaults to: <tt>[&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;]</tt>)</em>
&mdash;
<div class='inline'>
<p>the IP addresses of the trusted proxies, i.e. the load balancers. This is required when <code>ae_use_lb</code> is set to true, and defaults to [127.0.0.1,10.0.1.0/24].</p>
</div>
</li>
<li>
<span class='name'>ae_internal_proxy</span>
<span class='type'>(<tt>Array</tt>)</span>
<em class="default">(defaults to: <tt>[&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;]</tt>)</em>
&mdash;
<div class='inline'>
<p>the IP addresses of the internal proxies, i.e. the internal load balancers. This is required when <code>ae_use_lb</code> is set to true, and defaults to [127.0.0.1].</p>
</div>
</li>
<li>
<span class='name'>ae_remoteip_header</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;X-Forwarded-For&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>the header to use for the remote ip, typically <code>X-Forwarded-For</code>. This is required when <code>ae_use_lb</code> is set to true, and defaults to <code>X-Forwarded-For</code>.</p>
</div> </div>
</li> </li>
@@ -410,10 +450,6 @@ inherited by all classes except defines.
<pre class="lines"> <pre class="lines">
43
44
45
46
47 47
48 48
49 49
@@ -477,14 +513,10 @@ inherited by all classes except defines.
107 107
108 108
109 109
110 110</pre>
111
112
113
114</pre>
</td> </td>
<td> <td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 43</span> <pre class="code"><span class="info file"># File 'manifests/params.pp', line 47</span>
class confdroid_apache::params ( class confdroid_apache::params (
@@ -508,12 +540,6 @@ class confdroid_apache::params (
String $ae_http_port = &#39;80&#39;, String $ae_http_port = &#39;80&#39;,
String $ae_https_port = &#39;443&#39;, String $ae_https_port = &#39;443&#39;,
# loadbalancer
Boolean $ae_use_lb = false,
Array $ae_trusted_proxy = [&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;],
Array $ae_internal_proxy = [&#39;127.0.0.1&#39;,&#39;10.0.1.0/24&#39;],
String $ae_remoteip_header = &#39;X-Forwarded-For&#39;,
) { ) {
# facts # facts
$fqdn = $facts[&#39;networking&#39;][&#39;fqdn&#39;] $fqdn = $facts[&#39;networking&#39;][&#39;fqdn&#39;]
@@ -552,8 +578,6 @@ class confdroid_apache::params (
$ae_userdir_erb = &#39;confdroid_apache/userdir_conf.erb&#39; $ae_userdir_erb = &#39;confdroid_apache/userdir_conf.erb&#39;
$ae_index_file = &#39;/var/www/html/index.html&#39; $ae_index_file = &#39;/var/www/html/index.html&#39;
$ae_index_erb = &#39;confdroid_apache/index_html.erb&#39; $ae_index_erb = &#39;confdroid_apache/index_html.erb&#39;
$ae_remoteip_file = &#39;/etc/httpd/conf.d/loadbalancer-remoteip.conf&#39;
$ae_remoteip_erb = &#39;confdroid_apache/loadbalancer/remoteip.conf.erb&#39;
# includes must be last # includes must be last
include confdroid_apache::main::config include confdroid_apache::main::config

32
doc/puppet_classes/confdroid_apache_3A_3Aserver_3A_3Afiles.html
View File

@@ -205,22 +205,7 @@
107 107
108 108
109 109
110 110</pre>
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125</pre>
</td> </td>
<td> <td>
<pre class="code"><span class="info file"># File 'manifests/server/files.pp', line 6</span> <pre class="code"><span class="info file"># File 'manifests/server/files.pp', line 6</span>
@@ -314,21 +299,6 @@ class confdroid_apache::server::files (
} }
} }
if $ae_use_lb == true {
file { $ae_remoteip_file:
ensure =&gt; file,
owner =&gt; &#39;root&#39;,
group =&gt; &#39;root&#39;,
mode =&gt; &#39;0644&#39;,
selrange =&gt; s0,
selrole =&gt; object_r,
seltype =&gt; httpd_conf_t,
seluser =&gt; system_u,
content =&gt; template($ae_remoteip_erb),
notify =&gt; Service[&#39;httpd&#39;],
}
}
# manage index.html # manage index.html
file { $ae_index_file: file { $ae_index_file:

42
manifests/params.pp
View File

@@ -5,6 +5,25 @@
# inherited by all classes except defines. # inherited by all classes except defines.
# @param [String] pkg_ensure Specify which # @param [String] pkg_ensure Specify which
# package type to use, i.e. `latest`, `present` or `absent`. # package type to use, i.e. `latest`, `present` or `absent`.
# @param [Boolean] ae_manage_user Whether or not to manage details for the
# httpd service user. This is generally only required when using httpd on
# a number of servers sharing storage resources, i.e. NFS, where UID and GID
# settings must be same across all nodes.
# @param [String] ae_user_name Specify the user name for the httpd user.
# only active if ae_manage_user is set to true.
# @param [String] ae_user_uid Specify the UID for the httpd service user.
# only active if `ae_manage_user` is set to true.
# @param [String] ae_u_comment Specify the user comment for /etc/passwd.
# Shows up in email notifications as sender information.
# only active if `ae_manage_user` is set to true.
# @param [String] ae_u_groups Specify any secondary groups the httpd service
# user should be in. Must not contain the primary group.
# only active if `ae_manage_user` is set to true.
# @param [String] ae_user_home Specify the home of the httpd service user.
# only active if `ae_manage_user` is set to true.
# @param [String] ae_user_shell Specify the shell for the httpd service user,
# which normally should not be allowed to log in .
# only active if `ae_manage_user` is set to true.
# @param [Boolean] ae_manage_cfg Whether or not to manage the httpd # @param [Boolean] ae_manage_cfg Whether or not to manage the httpd
# configuration. httpd is very often a sub system used by many other services, # configuration. httpd is very often a sub system used by many other services,
# and the required configuration depends on the use case. If using httpd as # and the required configuration depends on the use case. If using httpd as
@@ -24,21 +43,6 @@
# @param [String] ae_target_contacts which contacts to notify for nagios alerts # @param [String] ae_target_contacts which contacts to notify for nagios alerts
# @param [Boolean] ae_manage_fw whether to manage firewall settings # @param [Boolean] ae_manage_fw whether to manage firewall settings
# @param [Array] reqpackages List of packages to install. # @param [Array] reqpackages List of packages to install.
# @param [Boolean] ae_use_lb whether to use load balancer or not. If true,
# a configuration file will be created to allow reading the client ips
# from the X-Forwarded-For header, and the httpd service will be restarted
# to apply the changes. This is required when using httpd behind a
# load balancer like haproxy, otherwise all client ips will be logged
# as the load balancer ip.
# @param [Array] ae_trusted_proxy the IP addresses of the trusted proxies,
# i.e. the load balancers. This is required when `ae_use_lb` is set to
# true, and defaults to ['127.0.0.1','10.0.1.0/24'].
# @param [Array] ae_internal_proxy the IP addresses of the internal proxies,
# i.e. the internal load balancers. This is required when `ae_use_lb` is set to
# true, and defaults to ['127.0.0.1'].
# @param [String] ae_remoteip_header the header to use for the remote ip,
# typically `X-Forwarded-For`. This is required when `ae_use_lb` is set
# to true, and defaults to `X-Forwarded-For`.
########################################################################### ###########################################################################
class confdroid_apache::params ( class confdroid_apache::params (
@@ -62,12 +66,6 @@ class confdroid_apache::params (
String $ae_http_port = '80', String $ae_http_port = '80',
String $ae_https_port = '443', String $ae_https_port = '443',
# loadbalancer
Boolean $ae_use_lb = false,
Array $ae_trusted_proxy = ['127.0.0.1','10.0.1.0/24'],
Array $ae_internal_proxy = ['127.0.0.1','10.0.1.0/24'],
String $ae_remoteip_header = 'X-Forwarded-For',
) { ) {
# facts # facts
$fqdn = $facts['networking']['fqdn'] $fqdn = $facts['networking']['fqdn']
@@ -106,8 +104,6 @@ class confdroid_apache::params (
$ae_userdir_erb = 'confdroid_apache/userdir_conf.erb' $ae_userdir_erb = 'confdroid_apache/userdir_conf.erb'
$ae_index_file = '/var/www/html/index.html' $ae_index_file = '/var/www/html/index.html'
$ae_index_erb = 'confdroid_apache/index_html.erb' $ae_index_erb = 'confdroid_apache/index_html.erb'
$ae_remoteip_file = '/etc/httpd/conf.d/loadbalancer-remoteip.conf'
$ae_remoteip_erb = 'confdroid_apache/loadbalancer/remoteip.conf.erb'
# includes must be last # includes must be last
include confdroid_apache::main::config include confdroid_apache::main::config

15
manifests/server/files.pp
View File

@@ -92,21 +92,6 @@ class confdroid_apache::server::files (
} }
} }
if $ae_use_lb == true {
file { $ae_remoteip_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => httpd_conf_t,
seluser => system_u,
content => template($ae_remoteip_erb),
notify => Service['httpd'],
}
}
# manage index.html # manage index.html
file { $ae_index_file: file { $ae_index_file:

20
templates/loadbalancer/remoteip.conf.erb
View File

@@ -1,20 +0,0 @@
###############################################################################
########## parameterized remoteip config created by Puppet ##########
########## manual changes will be overwritten !!! ##########
###############################################################################
<IfModule remoteip_module>
RemoteIPHeader <%= @ae_remoteip_header -%>
<% @ae_trusted_proxy.each do |proxy| %>
RemoteIPTrustedProxy <%= proxy -%>
<% end -%>
<% @ae_internal_proxy.each do |proxy| %>
RemoteIPInternalProxy <%= proxy -%>
<% end -%>
# Use real client IP in all standard log formats
LogFormat "%a %l %u %t \"%r\" %>s %b" common
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
</IfModule>