+class profile::apache {
+ class { 'apache':
+ root_directory_secured => true,
+ root_directory_options => ["All"],
+ default_mods => false,
+ default_vhost => false,
+ log_formats => {
+ combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
+ common => '%h %l %u %t \"%r\" %>s %b',
+ }
+ }
+
+ ::apache::custom_config { 'log_config.conf':
+ content => 'CustomLog "/var/log/httpd/access_log" combined',
+ filename => 'log_config.conf'
+ }
+
+ ::apache::custom_config { 'protocols.conf':
+ content => 'Protocols h2 http/1.1',
+ filename => 'protocols.conf'
+ }
+
+ ::apache::custom_config { 'document_root.conf':
+ source => "puppet:///modules/profile/apache/document_root.conf",
+ filename => "document_root.conf"
+ }
+
+ ::apache::custom_config { 'immae.conf':
+ source => "puppet:///modules/profile/apache/immae.conf",
+ filename => 'immae.conf'
+ }
+
+ ::apache::custom_config { 'letsencrypt.conf':
+ source => "puppet:///modules/profile/apache/letsencrypt.conf",
+ filename => 'letsencrypt.conf'
+ }
+
+ # FIXME: default values ignored?
+ Apache::Vhost {
+ no_proxy_uris => [
+ "/maintenance_immae.html",
+ "/googleb6d69446ff4ca3e5.html",
+ "/.well-known/acme-challenge"
+ ],
+ no_proxy_uris_match => [
+ '^/licen[cs]es?_et_tip(ping)?$',
+ '^/licen[cs]es?_and_tip(ping)?$',
+ '^/licen[cs]es?$',
+ '^/tip(ping)?$',
+ ]
+ }
+
+ $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+ unless empty($real_hostname) {
+ apache::vhost { "default_ssl":
+ port => '443',
+ docroot => '/srv/http',
+ servername => $real_hostname,
+ directoryindex => 'index.htm index.html',
+ priority => 0,
+ }
+ }
+
+ apache::vhost { "redirect_no_ssl":
+ port => '80',
+ error_log => false,
+ log_level => undef,
+ access_log => false,
+ docroot => false,
+ servername => "",
+ serveraliases => "*",
+ priority => 99,
+ rewrites => [
+ {
+ rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
+ rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
+ }
+ ]
+ }
+
+ class { 'apache::mod::ssl':
+ ssl_protocol => [ 'all', '-SSLv3' ],
+ # Given by
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
+ # FIXME: need SSLSessionTickets off
+ ssl_stapling => true,
+ ssl_stapling_return_errors => false,
+ # FIXME: SSLStaplingResponderTimeout 5
+ ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
+ }
+ class { 'apache::mod::alias': }
+ class { 'apache::mod::autoindex': }
+ # Included by ssl
+ # class { 'apache::mod::mime': }
+ class { 'apache::mod::deflate': }
+ class { 'apache::mod::rewrite': }
+
+ class { 'apache::mod::dir':
+ indexes => ["index.html"]
+ }
+
+ file { [
+ "/srv/http",
+ "/srv/http/.well-known",
+ "/srv/http/.well-known/acme-challenge"]:
+ ensure => "directory",
+ mode => "0755",
+ owner => "root",
+ group => "root",
+ }
+
+ file { "/srv/http/maintenance_immae.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/maintenance_immae.html",
+ }
+ file { "/srv/http/googleb6d69446ff4ca3e5.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
+ }
+}