]>
Commit | Line | Data |
---|---|---|
1 | class profile::apache { | |
2 | class { 'apache': | |
3 | root_directory_secured => true, | |
4 | root_directory_options => ["All"], | |
5 | default_mods => false, | |
6 | default_vhost => false, | |
7 | log_formats => { | |
8 | combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p', | |
9 | common => '%h %l %u %t \"%r\" %>s %b', | |
10 | } | |
11 | } | |
12 | ||
13 | ::apache::custom_config { 'log_config.conf': | |
14 | content => 'CustomLog "/var/log/httpd/access_log" combined', | |
15 | filename => 'log_config.conf' | |
16 | } | |
17 | ||
18 | ::apache::custom_config { 'protocols.conf': | |
19 | content => 'Protocols h2 http/1.1', | |
20 | filename => 'protocols.conf' | |
21 | } | |
22 | ||
23 | ::apache::custom_config { 'document_root.conf': | |
24 | source => "puppet:///modules/profile/apache/document_root.conf", | |
25 | filename => "document_root.conf" | |
26 | } | |
27 | ||
28 | ::apache::custom_config { 'immae.conf': | |
29 | source => "puppet:///modules/profile/apache/immae.conf", | |
30 | filename => 'immae.conf' | |
31 | } | |
32 | ||
33 | ::apache::custom_config { 'letsencrypt.conf': | |
34 | source => "puppet:///modules/profile/apache/letsencrypt.conf", | |
35 | filename => 'letsencrypt.conf' | |
36 | } | |
37 | ||
38 | # FIXME: default values ignored? | |
39 | Apache::Vhost { | |
40 | no_proxy_uris => [ | |
41 | "/maintenance_immae.html", | |
42 | "/googleb6d69446ff4ca3e5.html", | |
43 | "/.well-known/acme-challenge" | |
44 | ], | |
45 | no_proxy_uris_match => [ | |
46 | '^/licen[cs]es?_et_tip(ping)?$', | |
47 | '^/licen[cs]es?_and_tip(ping)?$', | |
48 | '^/licen[cs]es?$', | |
49 | '^/tip(ping)?$', | |
50 | ] | |
51 | } | |
52 | ||
53 | $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } | |
54 | unless empty($real_hostname) { | |
55 | apache::vhost { "default_ssl": | |
56 | port => '443', | |
57 | docroot => '/srv/http', | |
58 | servername => $real_hostname, | |
59 | directoryindex => 'index.htm index.html', | |
60 | priority => 0, | |
61 | } | |
62 | } | |
63 | ||
64 | apache::vhost { "redirect_no_ssl": | |
65 | port => '80', | |
66 | error_log => false, | |
67 | log_level => undef, | |
68 | access_log => false, | |
69 | docroot => false, | |
70 | servername => "", | |
71 | serveraliases => "*", | |
72 | priority => 99, | |
73 | rewrites => [ | |
74 | { | |
75 | rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"', | |
76 | rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]' | |
77 | } | |
78 | ] | |
79 | } | |
80 | ||
81 | class { 'apache::mod::ssl': | |
82 | ssl_protocol => [ 'all', '-SSLv3' ], | |
83 | # Given by | |
84 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
85 | ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", | |
86 | # FIXME: need SSLSessionTickets off | |
87 | ssl_stapling => true, | |
88 | ssl_stapling_return_errors => false, | |
89 | # FIXME: SSLStaplingResponderTimeout 5 | |
90 | ssl_ca => '/etc/ssl/certs/ca-certificates.crt', | |
91 | } | |
92 | class { 'apache::mod::alias': } | |
93 | class { 'apache::mod::autoindex': } | |
94 | # Included by ssl | |
95 | # class { 'apache::mod::mime': } | |
96 | class { 'apache::mod::deflate': } | |
97 | class { 'apache::mod::rewrite': } | |
98 | ||
99 | class { 'apache::mod::dir': | |
100 | indexes => ["index.html"] | |
101 | } | |
102 | ||
103 | file { [ | |
104 | "/srv/http", | |
105 | "/srv/http/.well-known", | |
106 | "/srv/http/.well-known/acme-challenge"]: | |
107 | ensure => "directory", | |
108 | mode => "0755", | |
109 | owner => "root", | |
110 | group => "root", | |
111 | } | |
112 | ||
113 | file { "/srv/http/maintenance_immae.html": | |
114 | mode => "0644", | |
115 | owner => "root", | |
116 | group => "root", | |
117 | source => "puppet:///modules/profile/apache/maintenance_immae.html", | |
118 | } | |
119 | file { "/srv/http/googleb6d69446ff4ca3e5.html": | |
120 | mode => "0644", | |
121 | owner => "root", | |
122 | group => "root", | |
123 | source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html", | |
124 | } | |
125 | } |