1 class profile::apache {
3 root_directory_secured => true,
4 root_directory_options => ["All"],
6 default_vhost => false,
8 combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
9 common => '%h %l %u %t \"%r\" %>s %b',
13 ::apache::custom_config { 'log_config.conf':
14 content => 'CustomLog "/var/log/httpd/access_log" combined',
15 filename => 'log_config.conf'
18 ::apache::custom_config { 'protocols.conf':
19 content => 'Protocols h2 http/1.1',
20 filename => 'protocols.conf'
23 ::apache::custom_config { 'document_root.conf':
24 source => "puppet:///modules/profile/apache/document_root.conf",
25 filename => "document_root.conf"
28 ::apache::custom_config { 'immae.conf':
29 source => "puppet:///modules/profile/apache/immae.conf",
30 filename => 'immae.conf'
33 ::apache::custom_config { 'letsencrypt.conf':
34 source => "puppet:///modules/profile/apache/letsencrypt.conf",
35 filename => 'letsencrypt.conf'
38 # FIXME: default values ignored?
41 "/maintenance_immae.html",
42 "/googleb6d69446ff4ca3e5.html",
43 "/.well-known/acme-challenge"
45 no_proxy_uris_match => [
46 '^/licen[cs]es?_et_tip(ping)?$',
47 '^/licen[cs]es?_and_tip(ping)?$',
53 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
54 unless empty($real_hostname) {
55 apache::vhost { "default_ssl":
57 docroot => '/srv/http',
58 servername => $real_hostname,
59 directoryindex => 'index.htm index.html',
64 apache::vhost { "redirect_no_ssl":
75 rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
76 rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
81 class { 'apache::mod::ssl':
82 ssl_protocol => [ 'all', '-SSLv3' ],
84 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
85 ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
86 # FIXME: need SSLSessionTickets off
88 ssl_stapling_return_errors => false,
89 # FIXME: SSLStaplingResponderTimeout 5
90 ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
92 class { 'apache::mod::alias': }
93 class { 'apache::mod::autoindex': }
95 # class { 'apache::mod::mime': }
96 class { 'apache::mod::deflate': }
97 class { 'apache::mod::rewrite': }
99 class { 'apache::mod::dir':
100 indexes => ["index.html"]
105 "/srv/http/.well-known",
106 "/srv/http/.well-known/acme-challenge"]:
107 ensure => "directory",
113 file { "/srv/http/maintenance_immae.html":
117 source => "puppet:///modules/profile/apache/maintenance_immae.html",
119 file { "/srv/http/googleb6d69446ff4ca3e5.html":
123 source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",