1 class profile::apache {
3 root_directory_secured => true,
4 root_directory_options => ["All"],
6 default_vhost => false,
10 combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
11 common => '%h %l %u %t \"%r\" %>s %b',
15 ::apache::custom_config { 'log_config.conf':
16 content => 'CustomLog "/var/log/httpd/access_log" combined',
17 filename => 'log_config.conf'
20 ::apache::custom_config { 'protocols.conf':
21 content => 'Protocols h2 http/1.1',
22 filename => 'protocols.conf'
25 ::apache::custom_config { 'protocols.load':
26 content => 'LoadModule http2_module /etc/httpd/modules/mod_http2.so',
27 filename => 'protocols.load'
30 ::apache::custom_config { 'document_root.conf':
31 source => "puppet:///modules/profile/apache/document_root.conf",
32 filename => "document_root.conf"
35 ::apache::custom_config { 'immae.conf':
36 source => "puppet:///modules/profile/apache/immae.conf",
37 filename => 'immae.conf'
40 ::apache::custom_config { 'letsencrypt.conf':
41 source => "puppet:///modules/profile/apache/letsencrypt.conf",
42 filename => 'letsencrypt.conf'
45 $apache_vhost_default = {
47 "/maintenance_immae.html",
48 "/googleb6d69446ff4ca3e5.html",
49 "/.well-known/acme-challenge"
51 no_proxy_uris_match => [
52 '^/licen[cs]es?_et_tip(ping)?$',
53 '^/licen[cs]es?_and_tip(ping)?$',
59 exec { 'Start-apache':
60 command => "/usr/bin/systemctl start httpd",
61 before => Class["::letsencrypt"],
62 unless => "/usr/bin/systemctl is-active httpd",
65 $letsencrypt_certonly_default = {
67 webroot_paths => ["/srv/http/"],
68 notify => Class['Apache::Service'],
69 require => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
73 class { '::letsencrypt':
74 install_method => "package",
75 package_name => "certbot",
76 package_command => "certbot",
77 email => lookup('letsencrypt::email'),
80 $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
81 unless empty($real_hostname) {
82 if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
83 letsencrypt::certonly { $real_hostname:
84 before => Apache::Vhost["default_ssl"];
85 default: * => $::profile::apache::letsencrypt_certonly_default;
87 $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
88 $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
89 $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
91 ssl::self_signed_certificate { $real_hostname:
92 common_name => $real_hostname,
95 organization => "Immae",
96 directory => "/etc/httpd/conf/ssl",
97 before => Apache::Vhost["default_ssl"],
100 $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
101 $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
105 apache::vhost { "default_ssl":
107 docroot => '/srv/http',
108 servername => $real_hostname,
109 directoryindex => 'index.htm index.html',
112 ssl_cert => $ssl_cert,
113 ssl_chain => $ssl_chain,
115 default: * => $::profile::apache::apache_vhost_default;
119 lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
120 if ($host != $real_hostname) { # Done above already
121 letsencrypt::certonly { $host: ;
122 default: * => $letsencrypt_certonly_default;
127 apache::vhost { "redirect_no_ssl":
134 serveraliases => "*",
138 rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
139 rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
144 class { 'apache::mod::ssl':
145 ssl_protocol => [ 'all', '-SSLv3' ],
147 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
148 ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
149 # FIXME: need SSLSessionTickets off
150 ssl_stapling => true,
151 ssl_stapling_return_errors => false,
152 # FIXME: SSLStaplingResponderTimeout 5
153 ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
155 class { 'apache::mod::alias': }
156 class { 'apache::mod::autoindex': }
158 # class { 'apache::mod::mime': }
159 class { 'apache::mod::deflate': }
160 class { 'apache::mod::rewrite': }
162 class { 'apache::mod::dir':
163 indexes => ["index.html"]
168 "/srv/http/.well-known"]:
169 ensure => "directory",
175 file { "/srv/http/index.html":
179 source => "puppet:///modules/profile/apache/index.html",
181 file { "/srv/http/maintenance_immae.html":
185 source => "puppet:///modules/profile/apache/maintenance_immae.html",
187 file { "/srv/http/googleb6d69446ff4ca3e5.html":
191 source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",