modules/profile/manifests/apache.pp

   1 class profile::apache {
   2   class { 'apache':
   3     root_directory_secured => true,
   4     root_directory_options => ["All"],
   5     default_mods           => false,
   6     default_vhost          => false,
   7     log_formats            => {
   8       combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
   9       common   => '%h %l %u %t \"%r\" %>s %b',
  10     }
  11   }
  12
  13   ::apache::custom_config { 'log_config.conf':
  14     content  => 'CustomLog "/var/log/httpd/access_log" combined',
  15     filename => 'log_config.conf'
  16   }
  17
  18   ::apache::custom_config { 'protocols.conf':
  19     content  => 'Protocols h2 http/1.1',
  20     filename => 'protocols.conf'
  21   }
  22
  23   ::apache::custom_config { 'document_root.conf':
  24     source   => "puppet:///modules/profile/apache/document_root.conf",
  25     filename => "document_root.conf"
  26   }
  27
  28   ::apache::custom_config { 'immae.conf':
  29     source   => "puppet:///modules/profile/apache/immae.conf",
  30     filename => 'immae.conf'
  31   }
  32
  33   ::apache::custom_config { 'letsencrypt.conf':
  34     source   => "puppet:///modules/profile/apache/letsencrypt.conf",
  35     filename => 'letsencrypt.conf'
  36   }
  37
  38   # FIXME: default values ignored?
  39   Apache::Vhost {
  40     no_proxy_uris       => [
  41       "/maintenance_immae.html",
  42       "/googleb6d69446ff4ca3e5.html",
  43       "/.well-known/acme-challenge"
  44     ],
  45     no_proxy_uris_match => [
  46       '^/licen[cs]es?_et_tip(ping)?$',
  47       '^/licen[cs]es?_and_tip(ping)?$',
  48       '^/licen[cs]es?$',
  49       '^/tip(ping)?$',
  50     ]
  51   }
  52
  53   $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
  54   unless empty($real_hostname) {
  55     apache::vhost { "default_ssl":
  56       port           => '443',
  57       docroot        => '/srv/http',
  58       servername     => $real_hostname,
  59       directoryindex => 'index.htm index.html',
  60       priority       => 0,
  61     }
  62   }
  63
  64   apache::vhost { "redirect_no_ssl":
  65     port          => '80',
  66     error_log     => false,
  67     log_level     => undef,
  68     access_log    => false,
  69     docroot       => false,
  70     servername    => "",
  71     serveraliases => "*",
  72     priority      => 99,
  73     rewrites      => [
  74       {
  75         rewrite_cond => '"%{REQUEST_URI}"   "!^/\.well-known"',
  76         rewrite_rule => '^(.+)              https://%{HTTP_HOST}$1 [R=301]'
  77       }
  78     ]
  79   }
  80
  81   class { 'apache::mod::ssl':
  82     ssl_protocol               => [ 'all', '-SSLv3' ],
  83     # Given by
  84     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  85     ssl_cipher                 => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
  86     # FIXME: need SSLSessionTickets       off
  87     ssl_stapling               => true,
  88     ssl_stapling_return_errors => false,
  89     # FIXME: SSLStaplingResponderTimeout 5
  90     ssl_ca                     => '/etc/ssl/certs/ca-certificates.crt',
  91   }
  92   class { 'apache::mod::alias': }
  93   class { 'apache::mod::autoindex': }
  94   # Included by ssl
  95   # class { 'apache::mod::mime': }
  96   class { 'apache::mod::deflate': }
  97   class { 'apache::mod::rewrite': }
  98
  99   class { 'apache::mod::dir':
 100     indexes => ["index.html"]
 101   }
 102
 103   file { [
 104     "/srv/http",
 105     "/srv/http/.well-known",
 106     "/srv/http/.well-known/acme-challenge"]:
 107       ensure => "directory",
 108       mode   => "0755",
 109       owner  => "root",
 110       group  => "root",
 111   }
 112
 113   file { "/srv/http/maintenance_immae.html":
 114     mode   => "0644",
 115     owner  => "root",
 116     group  => "root",
 117     source => "puppet:///modules/profile/apache/maintenance_immae.html",
 118   }
 119   file { "/srv/http/googleb6d69446ff4ca3e5.html":
 120     mode   => "0644",
 121     owner  => "root",
 122     group  => "root",
 123     source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
 124   }
 125 }