digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/ids_lab_squashed' into week_4_merge_branch

Browse Source 
# Conflicts:
#	lib/templates/Vagrantfile.erb
This commit is contained in:
thomashaw
2017-10-21 10:52:02 +01:00
parent 19cade10d3 b2e13994bd
commit c8aee26974
387 changed files with 30330 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -49,12 +49,6 @@ cd /home/user/bin/SecGen
bundle install
```
### Optional software requirements
To save yourself some time you can enable caching of downloaded packages. Simply install vagrant-cachier:
```bash
vagrant plugin install vagrant-cachier
```
## Usage
Basic usage:
```bash

5
lib/objects/system.rb
View File

@@ -304,6 +304,11 @@ class System
command = "ruby #{selected.local_calc_file} #{args_string}"
Print.verbose "Running: #{command}"
outputs = `#{command}`.chomp
unless $?.success?
Print.err "Module failed to run (#{command})"
# TODO: this works, but subsequent attempts at resolving the scenario always fail ("Error can't add no data...")
raise 'failed'
end
output_array = outputs.split("\n")
selected.output = output_array.map { |o| Base64.strict_decode64 o }
end

2
lib/output/xml_marker_generator.rb
View File

@@ -44,7 +44,7 @@ class XmlMarkerGenerator
end
}
add_hint("Remember, search for text in the format of flag{SOMETHING}, and submit it for points", "flaggyflag", "normal", xml)
# add_hint("Remember, search for text in the format of flag{SOMETHING}, and submit it for points", "flaggyflag", "normal", xml)
}
end
}

7
lib/templates/Vagrantfile.erb
View File

@@ -100,13 +100,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
<%= system.name %>.vm.provision 'shell', inline: "echo 'datasource_list: [ None ] '> /etc/cloud/cloud.cfg.d/90_dpkg.cfg"
<% end -%>
# Optimise package caching (re-use downloaded .deb, ruby gems, etc)
# if Vagrant.has_plugin?("vagrant-cachier")
# Configure cached packages to be shared between instances of the same base box.
# More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage
# config.cache.scope = :box
# end
# SecGen datastore
# <%= JSON.generate($datastore) %>

0
modules/generators/structured_content/hackerbot_config/ids/ids.pp Normal file
View File

0
modules/generators/structured_content/hackerbot_config/ids/manifests/.no_puppet Normal file
View File

45
modules/generators/structured_content/hackerbot_config/ids/secgen_local/local.rb Normal file
View File

@@ -0,0 +1,45 @@
#!/usr/bin/ruby
require_relative '../../../../../../lib/objects/local_hackerbot_config_generator.rb'
class IDS < HackerbotConfigGenerator
attr_accessor :web_server_ip
attr_accessor :ids_server_ip
attr_accessor :hackerbot_server_ip
def initialize
super
self.module_name = 'Hackerbot Config Generator IDS'
self.title = 'IDS'
self.local_dir = File.expand_path('../../',__FILE__)
self.templates_path = "#{self.local_dir}/templates/"
self.config_template_path = "#{self.local_dir}/templates/lab.xml.erb"
self.html_template_path = "#{self.local_dir}/templates/labsheet.html.erb"
self.web_server_ip = []
self.ids_server_ip = []
self.hackerbot_server_ip = []
end
def get_options_array
super + [['--web_server_ip', GetoptLong::REQUIRED_ARGUMENT],
['--ids_server_ip', GetoptLong::REQUIRED_ARGUMENT],
['--hackerbot_server_ip', GetoptLong::REQUIRED_ARGUMENT]]
end
def process_options(opt, arg)
super
case opt
when '--web_server_ip'
self.web_server_ip << arg;
when '--ids_server_ip'
self.ids_server_ip << arg;
when '--hackerbot_server_ip'
self.ids_server_ip << arg;
end
end
end
IDS.new.run

51
modules/generators/structured_content/hackerbot_config/ids/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,51 @@
<?xml version="1.0"?>
<generator xmlns="http://www.github/cliffe/SecGen/generator"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/generator">
<name>Hackerbot config for a backups lab</name>
<author>Z. Cliffe Schreuders</author>
<module_license>GPLv3</module_license>
<description>Generates a config file for a hackerbot for a backups lab.
Topics covered: .</description>
<type>hackerbot_config</type>
<platform>linux</platform>
<read_fact>accounts</read_fact>
<read_fact>flags</read_fact>
<read_fact>root_password</read_fact>
<read_fact>web_server_ip</read_fact>
<read_fact>ids_server_ip</read_fact>
<read_fact>hackerbot_server_ip</read_fact>
<!--TODO: require input, such as accounts, or fail?-->
<default_input into="accounts">
<generator type="account">
<input into="username">
<value>vagrant</value>
</input>
</generator>
</default_input>
<default_input into="flags">
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
<generator type="flag_generator"/>
</default_input>
<default_input into="root_password">
<value>puppet</value>
</default_input>
<output_type>hackerbot</output_type>
</generator>

29
modules/generators/structured_content/hackerbot_config/ids/shared/labsheet.html.erb Normal file
View File

@@ -0,0 +1,29 @@
<html>
<head>
<title><%= self.title %></title>
</head>
<body>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/github-markdown.css">
<style>
.markdown-body {
box-sizing: border-box;
min-width: 200px;
max-width: 980px;
margin: 0 auto;
padding: 45px;
}
@media (max-width: 767px) {
.markdown-body {
padding: 15px;
}
}
</style>
<article class="markdown-body">
<%= self.html_rendered %>
</article>
<script src="js/code-prettify/loader/run_prettify.js"></script>
</body>
</html>

4
modules/generators/structured_content/hackerbot_config/ids/shared/license.md.erb Normal file
View File

@@ -0,0 +1,4 @@
## License
This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB).
Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version.

432
modules/generators/structured_content/hackerbot_config/ids/templates/IDS.md Normal file
View File

@@ -0,0 +1,432 @@
# Intrusion Detection and Prevention Systems: Configuration and Monitoring using Snort
## Getting started
### VMs in this lab
==Start these VMs== (if you haven't already):
- hackerbot_server (leave it running, you don't log into this)
- ids_server (IP address: <%= $ids_server_ip %>)
- web_server (IP address: <%= $web_server_ip %>)
- desktop
All of these VMs need to be running to complete the lab.
**Ensure VMs allow promiscuous mode**
If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks by using promiscuous mode.
### Your login details for the "desktop" and "ids_server" VMs
User: <%= $main_user %>
Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)
You won't login to the hackerbot_server, but the VM needs to be running to complete the lab.
You don't need to login to the backup_server or web_server, but you will connect to them via SSH and http later in the lab.
### For marks in the module
1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Follow the link on the module page to submit your flags.
2. **You need to document the work and your solutions in a workbook**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Workbook Questions". The workbook will be submitted later in the semester.
## Hackerbot!
![small-right](images/skullandusb.svg)
This exercise involves interacting with Hackerbot, a chatbot who will task you to monitor the network and will attack your system. If you satisfy Hackerbot by completing the challenges, she will reveal flags to you.
Work through the below exercises, completing the Hackerbot challenges as noted.
---
## Network monitoring basics
It is important for an organisation to monitor their network for detecting unwanted behaviour, such as malicious attacks or organisational resources being misused.
### Tcpdump
This section gives a quick overview of the basics of network monitoring, using tools such as Tcpdump. Keep in mind that these are important foundations, and we will quickly build on these.
**From your desktop VM**, ==SSH into the ids_server==. **Leave this console open in a separate tab** (Shift-Ctrl-T):
```bash
ssh <%= $main_user %>@<%= $ids_server_ip %>
sudo -i
```
**From this ssh session:** To view live network traffic, ==start tcpdump on the ids_server via ssh:==
```bash
tcpdump
```
> Tip: If running tcpdump generates the error "packet printing is not supported for link type USB\_Linux: use -w", then append "-i *eth0*" to each tcpdump command. (Where eth0 is the name of the interface as reported by ifconfig).
With tcpdump still running via ssh, **from the desktop VM** ==perform a ping to the ids_server VM.==
```bash
ping <%= $ids_server_ip %>
```
> Run the above from the desktop VM (not from the tab SSHed to the ids_server).
> Note that tcpdump displays the network activity taking place, including the pings, and various TCP connections and ARP requests. Depending on your environment you might be seeing the traffic between various VMs.
The IDS server has a network card interface that can enter promiscuous mode, meaning that it can view traffic destined to other systems on the network. (Not just the traffic destined for the ids_server, as would normally be the case.)
Test this, **from the desktop** ==ping the web_server==:
```bash
ping <%= $web_server_ip %>
```
> If your network is configured correctly, from the Tcpdump running on the ids_server you should see the pings between these separate VMs (the desktop, and the web_server). Take the time to confirm that this is working.
Once you have seen tcpdump in action displaying these packets ==press Ctrl-C to exit.==
Tcpdump can format the output in various ways, showing various levels of detail.
**From the ids_server SSH session** tab, ==run:==
```bash
tcpdump -q
```
> This shows a less verbose version of the output.
**From the desktop** ==Ping the web_server VM again and observe the tcpdump output in the ssh session.==
```bash
tcpdump -A
```
> Shows the packet content without the information about the source and destination.
When you ==access a web page in a browser on the desktop VM== (go ahead... ==reload this labsheet== webpage), Tcpdump will display the content, so long as the traffic is not SSL encrypted (for example, so long as the URL doesn't start with http**s**://).
==Ping the web_server again== and observe the output.
Stop tcpdump (Ctrl-C) on the ids_server VM once you have observed the output.
==Run the following== command **on the ids_server** SSH session:
```bash
tcpdump -v
```
> The above is even more verbose, showing lots of detail about the network traffic.
Now try the ==port scan again==. Note the very detailed output.
It is possible to write tcpdump network traffic to storage, so that it can be analysed later:
```bash
tcpdump -w /tmp/tcpdump-output
```
While that is running, ==access a web page from Firefox on the desktop VM== browse to:
> ==<%= $web_server_ip %>==
Then ==close tcpdump== (Ctrl-C).
To view the file containing the tcpdump output on the Kali VM type:
```bash
less /tmp/tcpdump-output
```
> (Press "y" to see the output if you are warned that it may be a binary file)
> You should be able to PageUp and PageDown through the file.
> Press "Q" to quit when ready
Run `man tcpdump` and read about the many options for output and filtering.
### Tcpdump filtering
We can also use tcpdump to do some simple monitoring of the network traffic to detect certain key words.
**On the ids_server** ssh session, ==run:==
```bash
tcpdump -A | grep "GET"
```
> Tip: if you are using a UK keyboard and the VM configured for US, the "|" symbol is located where "\~" is.
Open a web browser **on the desktop VM**, and visit [*http://<%= $web_server_ip %>*](http://<%= $web_server_ip %>), note that tcpdump captures *most* network content, and grep can be used to filter it down to lines that are interesting to us.
Note that making sense of this information using tcpdump and/or Wireshark is possible (and is a common sys-admin task), but the output is too noisy to be constantly and effectively monitored by a human to detect security incidents. Therefore we can use an IDS such as Snort to monitor and analyse the network traffic to detect activity that it is configured to alert.
Make sure tcpdump is stopped (Ctrl-C).
## IDS monitoring basics
Continuing **on the ids_server VM** ssh session:
==Make a backup== of the snorts configuration file in case anything goes wrong:
```bash
cp /etc/snort/snort.conf /etc/snort/snort.conf.bak
```
==Change Snorts output== to something more readable:
```bash
vi /etc/snort/snort.conf
```
> (Remember: editing using vi involves pressing "i" to insert/edit text, then *Esc*,
> ":wq" to write changes and quit)
==Comment out== the line starting with "`output` …"
> (Put a \# in front of it)
==Add the following line:==
`output alert_fast`
> **Help with find in vi:** the find command in vi is the / character (forward slash) . When **NOT in insert mode** (pressing Esc will get you out of insert mode if you need to), to find "output" you could enter / output \[+ PRESS ENTER\] Then press the n character to find the next output and the next and the next and the next etc.
>
> If there is still no alert file in /var/log/snort/, you may need to edit /etc/snort/snort.debian.conf, to use the correct interface (for example, eth1 if the output of "ifconfig" does not contain "eth0").
==Start Snort:==
```bash
systemctl start snort
```
Snort should now be running, monitoring network traffic for activity.
==Do an nmap port scan of the ids_server== VM (from the desktop VM):
```bash
nmap <%= $ids_server_ip %>
```
This should trigger an alert from Snort, which is stored in an alerts log file.
"Follow" the Snort alert log file by running:
```bash
tail -f /var/log/snort/alert
```
>The tail program will wait for new alerts to be written to the file, and will display them as they are logged.
==LogBook question: Does the log match what happened? Are there any false positives (alerts that describe things that did not actually happen)?==
==Do an nmap port scan of the web_server== VM (from the desktop VM):
```bash
nmap <%= $web_server_ip %>
```
This should trigger another alert.
Press Ctrl-C to ==stop the alert tail process==, if it did not do so automatically.
The Snort configuration file can be configured to output, a "tcpdump" formatted network capture.
Open the snort.conf file in vi:
```bash
vi /etc/snort/snort.conf
```
> (Remember: editing using vi involves pressing "i" to insert/edit text, then *Esc*, ":wq" to write changes and quit)
Add the following line and then save the changes (or uncomment by removing the \#):
`output log_tcpdump: tcpdump.log`
Restart Snort:
```bash
systemctl restart snort
```
Try another type of port scan, such as an ==Xmas Tree scan from the desktop== VM (Hint: `man nmap`).
Then run the following command to ==view the contents of the log:==
```bash
tcpdump -r /var/log/snort/tcpdump.log.*
```
You can use tcpdumps various flags to change the way it is displayed, or you could even open the logged network activity in Wireshark.
##Configuring Snort
**On the ids_server** ssh session, ==edit /etc/snort/snort.conf==; for example:
```bash
vi /etc/snort/snort.conf
```
> (Remember: editing using vi involves pressing "i" to insert/edit text, then *Esc*, ":wq" to write changes and quit)
Scroll through the config file and, take notice of these details:
- In a production environment you would configure Snort to to correctly identify which traffic is considered LAN traffic, and which IP addresses are known to run various servers (this is also configured in snort.debian.conf). In this case, we will leave these settings as is.
- Note the line "`var RULE_PATH /etc/snort/rules`": this is where the IDS signatures are stored.
- Note the presence of a Back Orifice detector preprocessor "bo". Back Orifice was a Windows Trojan horse that was popular in the 90s.
- We have already seen the "sfportscan" preprocessor in practice, detecting various kinds of port scans.
- The "arpspoof" preprocessor is described as experimental, and is not enabled by default.
- Towards the end of the config file are "include" lines, which specify which of the rule files in RULE\_PATH are in effect. As is common, lines beginning with "\#" are ignored, which is used to list disabled rule files. There are rule files for detecting known exploits, attacks against services such as DNS and FTP, denial of service (DoS) attacks, and so on.
Add the following line below the other include rules (at the end of the file):
`include $RULE_PATH/my.rules`
Save your changes to snort.conf
> (For example, in vi, press Esc, then type ":wq").
> Hint: you may find it easier to use Esc, then type ":w" to write your changes to disk and then type ":q" to exit (or "x" shorthand for "wq").
Run this command, to ==create your new rule file:==
```bash
touch /etc/snort/rules/my.rules
```
==Edit the file.== For example:
```bash
vi /etc/snort/rules/my.rules
```
==Add this line (*with your own name*), and save your changes:==
`alert icmp any any ->any any (msg: "*Your-name*: ICMP Packet found"; sid:1000000; rev:1;)`
> For example, `alert icmp any any -> any any (msg: "**Cliffe**: ICMP Packet found"; sid:1000000; rev:1;)`
Now that you have new rules, tell Snort to ==reload its configuration:==
```bash
systemctl restart snort
```
> If after attempting a reload, Snort fails to start, then you have probably made a configuration mistake, so check the log for details by running: `tail /var/log/syslog`
Due to the new rule you have just applied, sending a simple ICMP Ping (typically used to troubleshoot connectivity) will trigger a Snort alert.
Try it, **from the desktop** VM, ==ping the web_server:==
```bash
ping <%= $web_server_ip %>
```
Check for the Snort alert. You should see that the ping was detected, and our new message was added to the alerts log file.
## Writing your own Snort rules
Snort is predominantly designed as a signature-based IDS. Snort monitors the network for matches to rules that indicate activity that should trigger an alert. You have now seen Snort detect a few types of activity, and have added a rule to detect ICMP packets. Next you will apply more complicated rules, and create your own.
In addition to the lecture slides, you may find this resource helpful to complete these tasks:
> Martin Roesch (n.d.) **Chapter 2:** Writing Snort Rules - How to Write Snort Rules and Keep Your Sanity. In: *Snort Users Manual*. Available from: &lt;[*http://www.snort.org.br/documentacao/SnortUsersManual.pdf*](http://www.snort.org.br/documentacao/SnortUsersManual.pdf)&gt;
In general, rules are defined on one line (although, they can break over lines by using `\`), and take the form of:
**header (body)**
where header = "**action** (log,alert) **protocol** (ip,tcp,udp,icmp,any) **source_IP** **source_port** **direction** (-&gt;,&lt;&gt;) **destination_IP** **destination_port**"
> for example: `alert tcp any any -> any any` to make an alert for all TCP traffic, or `alert tcp any any -> 192.168.0.1 23` to make an alert for connections to telnet on the given IP address
and body = "**option; option: "parameter"; ...**"
The most common options are:
> `msg: "message to display"`
and, to search the packets content:
> `content: "some text to search for"`
To set the type of alert:
> `classtype:misc-attack`
>
> (where *misc-attack* is defined in `/etc/snort/classification.conf`)
To give a unique identifier and revision version number:
> `sid:1000001; rev:1`
So for example the body could be:
> `msg: "user login attempt"; content: "user"; classtype:attempted-user; sid:1000001; rev:1;`
And bringing all this together a Snort rule could read:
> `alert tcp any any -> 192.168.0.1 110 (msg: "Email login attempt"; content: "user"; classtype:attempted-user; sid:1000001; rev:1;)`
This rule looks at packets destined for 192.168.0.1 on the pop3 Email port (110), and sends an alert if the content contains the "user" command (which is used to log on to check email). Note that this rule is imperfect as it is, since it is case sensitive.
There are lots more options that can make rules more precise and efficient. For example, making them case insensitive, or starting to search content after an offset. Feel free to do some reading, to help you to create better IDS rules.
==Figure out how the rule could be improved to be case insensitive.==
==Browse the existing rules in `/etc/snort/rules` and figure out how at least two of them work.==
Lets create a basic rule that detects any web traffic on port 80.
```bash
echo "alert tcp any any -> any 80 (msg: "Web traffic detected - RANDOM"; sid:1000002; rev:1;)" >> /etc/snort/rules/my.rules
systemctl restart snort
```
Browse to a website, and confirm the rule worked to generate an alert containing RANDOM.
# TODO RANDOM
# HACKERBOT ATTACKS
(Move up above)
I'm about to attack your system, use Snort to detect the method of attack.
??? quiz???
Random IP address? LPORT?
---
Add a rule to detect any attempt to connect to a Telnet server, the output message must include "- RANDOM". Connections to a Telnet server could be a security issue, since logging into a networked computer using Telnet is known to be insecure because traffic is not encrypted. Don't forget to reload Snort!
Once you have saved your rule and reloaded Snort, test this rule by using Telnet. Rather than starting an actual Telnet server (unless you want to do so), you can simulate this by using Netcat to listen on the Telnet port, then connect with Telnet from the desktop VM.
On a terminal on the Kali Linux VM:
```bash
netcat -l -p 23
```
Leaving that running, and on a terminal on the openSUSE VM:
```bash
telnet localhost
```
Type "hello"
##TODO
Create a rule that only triggers on loading the Webserver's homepage (http://<%= $web_server_ip %>). Don't forget to reload Snort.
---
Create a rule that triggers on the
##TODO
Create a Snort rule that detects visits to the Leeds Beckett website from the Kali VM, but does not get triggered by general web browsing.
Hints:
> Look at some of the existing Snort rules for detecting Web sites, such as those in /etc/snort/rules/community-inappropriate.rules
> In the IMS labs or when using oVirt, you are likely using the proxy to access the web, so you will need to approach your rules a little differently, you may find you need to change the port you are listening to. Look at the output of tcpdump -A when you access a web page, what does the traffic contain that may point to what is being accessed? Have a look through the output of tcpdump for the text "Host".
As before, include your name in the alert message.
##TODO
Setup Snort as an intrusion *prevention* system (IPS): on the Kali VM so that it can actually deny traffic, and demonstrate with a rule. You may wish to extend the Leeds Beckett website rule, so that all attempts to access the website are denied by Snort.
# write a rule that detects
"Top secret"
Randomly specified content
Randomly generated content (requires network monitoring)
attacks
random port number (by service name?)

38
modules/generators/structured_content/hackerbot_config/ids/templates/intro.md.erb Normal file
View File

@@ -0,0 +1,38 @@
# Intrusion Detection and Prevention Systems: Configuration and Monitoring using Snort
## Getting started
### VMs in this lab
==Start these VMs== (if you haven't already):
- hackerbot_server (leave it running, you don't log into this)
- ids_server (IP address: <%= $ids_server_ip %>)
- web_server (IP address: <%= $web_server_ip %>)
- desktop
All of these VMs need to be running to complete the lab.
**Ensure the ids_server VM is allowed promiscuous mode.** If you are completing this lab on Leeds Beckett oVirt infrastructure, this should be sorted. Otherwise, if you have used SecGen to spin up VMs, you need to ensure your VMs have permission to monitor networks using promiscuous mode. On the Leeds Beckett oVirt infrastructure we have snoop networks, which mirror all the traffic between systems. On Virtualbox, you would need to go to Advanced network settings for the host-only network on the ids_server and enable promiscious mode.
### Your login details for the "desktop" and "ids_server" VMs
User: <%= $main_user %>
Password: tiaspbiqe2r (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)
You won't login to the hackerbot_server or web_server, but all the VMs need to be running to complete the lab.
### For marks in the module
1. **You need to submit flags**. Note that the flags and the challenges in your VMs are different to other's in the class. Flags will be revealed to you as you complete challenges throughout the module. Flags look like this: ==flag{*somethingrandom*}==. Follow the link on the module page to submit your flags.
2. **You need to document the work and your solutions in a workbook**. This needs to include screenshots (including the flags) of how you solved each Hackerbot challenge and a writeup describing your solution to each challenge, and answering any "Workbook Questions". The workbook will be submitted later in the semester.
## Hackerbot!
![small-right](images/skullandusb.svg)
This exercise involves interacting with Hackerbot, a chatbot who will task you to monitor the network and will attack your systems. If you satisfy Hackerbot by completing the challenges, she will reveal flags to you.
Work through the below exercises, completing the Hackerbot challenges as noted.
---
## Network monitoring basics
It is important for an organisation to monitor their network for detecting unwanted behaviour, such as malicious attacks or organisational resources being misused.
Please take care to observe the instructions on which VM each command should be run from. (*There is quite a bit of switching between VMs in this lab.*)

308
modules/generators/structured_content/hackerbot_config/ids/templates/lab.xml.erb Normal file
View File

@@ -0,0 +1,308 @@
<%
require 'json'
require 'securerandom'
require 'digest/sha1'
require 'fileutils'
require 'erb'
if self.accounts.empty?
abort('Sorry, you need to provide an account')
end
$first_account = JSON.parse(self.accounts.first)
$second_account = JSON.parse(self.accounts[1])
$files = []
$log_files = []
if $second_account.key?("leaked_filenames") && $second_account['leaked_filenames'].size > 0
$files = $second_account['leaked_filenames']
$log_files = $second_account['leaked_filenames'].grep(/log/)
end
if $files.empty?
$files = ['myfile', 'afile', 'filee', 'thefile']
end
if $log_files.empty?
$log_files = ['log', 'thelog', 'logs', 'frogonalog']
end
$main_user = $first_account['username'].to_s
$second_user = $second_account['username'].to_s
$example_file = "/home/#{$second_user}/#{$files.sample}"
$example_dir = "/home/#{$second_user}/personal_secrets/"
$web_server_ip = self.web_server_ip.first
$ids_server_ip = self.ids_server_ip.first
$hackerbot_server_ip = self.hackerbot_server_ip.first
$root_password = self.root_password
$flags = self.flags
REQUIRED_FLAGS = 10
while $flags.length < REQUIRED_FLAGS
$flags << "flag{#{SecureRandom.hex}}"
Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!"
end
def get_binding
binding
end
%>
<?xml version="1.0"?>
<hackerbot
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/hackerbot">
<!--<hackerbot xmlns="http://www.github/cliffe/SecGen/hackerbotz"-->
<name>Hackerbot</name>
<AIML_chatbot_rules>config/AIML</AIML_chatbot_rules>
<!--Method for gaining shell access, can be overwritten per-attack-->
<!--<get_shell>bash</get_shell>-->
<get_shell>false</get_shell>
<messages>
<greeting>Your web server is going to be attacked. I have inside information that will help you to monitor your network for the attacks. If you work with me I'll provide you with some flags.</greeting>
<!--Must provide alternatives for each message-->
<say_ready>When you are ready, simply say 'ready'.</say_ready>
<say_ready>'Ready'?</say_ready>
<next>Ok, I'll do what I can to move things along...</next>
<next>Moving things along to the next one...</next>
<previous>Ok, I'll do what I can to back things up...</previous>
<previous>Ok, backing up.</previous>
<goto>Ok, skipping it along.</goto>
<goto>Let me see what I can do to goto that attack.</goto>
<last_attack>That was the last one for now. You can rest easy, until next time... (End.)</last_attack>
<last_attack>That was the last one. Game over?</last_attack>
<first_attack>You are back to the beginning!</first_attack>
<first_attack>This is where it all began.</first_attack>
<getting_shell>Doing my thing...</getting_shell>
<getting_shell>Here we go...</getting_shell>
<got_shell>...</got_shell>
<got_shell>....</got_shell>
<repeat>Let me know when you are 'ready', if you want to move on say 'next', or 'previous' and I'll move things along.</repeat>
<repeat>Say 'ready', 'next', or 'previous'.</repeat>
<!--Single responses:-->
<help>I am waiting for you to say 'ready', 'next', 'previous', 'list', 'goto *X*', or 'answer *X*'</help>
<say_answer>Say "The answer is *X*".</say_answer>
<no_quiz>There is no question to answer</no_quiz>
<correct_answer>Correct</correct_answer>
<incorrect_answer>Incorrect</incorrect_answer>
<invalid>That's not possible.</invalid>
<non_answer>Wouldn't you like to know.</non_answer>
<!--can be overwritten per-attack-->
<shell_fail_message>Oh no. Failed to get shell... You need to let us in.</shell_fail_message>
</messages>
<tutorial_info>
<title>Backing Up and Recovering from Disaster: SSH/SCP, Deltas, and Rsync</title>
<tutorial><%= ERB.new(File.read self.templates_path + 'intro.md.erb').result(self.get_binding) %></tutorial>
<footer>
<%= File.read self.templates_path + 'resources.md.erb' %>
<%= File.read self.templates_path + 'license.md.erb' %>
Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%= Time.new.to_s %>)
</footer>
<provide_tutorial>true</provide_tutorial>
</tutorial_info>
<attack>
<% $rand1 = SecureRandom.hex(2)-%>
<pre_shell>curl -v -H 'Something-worth-noting: <%= $rand1 %>:<%= $flags.pop %>' <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>
<get_shell>false</get_shell>
<post_command></post_command>
<prompt>#1 Monitor the network traffic using Tcpdump or Wireshark, and look out for a string starting with "<%= $rand1 %>".</prompt>
<condition>
<output_matches>0</output_matches>
<message>Hope you found the flag! Moving on...</message>
<trigger_next_attack>true</trigger_next_attack>
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( Failed to talk to the web server (<%= $web_server_ip %>)</message>
</condition>
<else_condition>
<message>Ok, next up...</message>
</else_condition>
<tutorial><%= ERB.new(File.read self.templates_path + 'tcpdump.md.erb').result(self.get_binding) %></tutorial>
</attack>
<attack>
<% $rand_port = rand(65535)-%>
<pre_shell>nmap -p <%= $rand_port %> <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>
<get_shell>false</get_shell>
<post_command></post_command>
<prompt>#2 Monitor the network traffic, and look out for attempts to scan your webserver (<%= $web_server_ip %>). You need to identify what port the connection attempt is to.</prompt>
<condition>
<output_matches>0</output_matches>
<message>Hope you found the port number.</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( Failed to scan the web server (<%= $web_server_ip %>)</message>
</condition>
<!--<else_condition>-->
<!--<message>:( Something was not right...</message>-->
<!--</else_condition>-->
<quiz>
<question>Now after the attack, what port number was scanned?</question>
<answer>^<%= $rand_port %>$</answer>
<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<!--
# TODO MORE RANDOM HACKERBOT ATTACKS
I'm about to attack your system, use Snort to detect the method of attack.
-->
<attack>
<pre_shell>nmap <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>
<get_shell>false</get_shell>
<post_command></post_command>
<prompt>#3 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network... This make take a while (a few minutes) please be patient.</prompt>
<condition>
<output_matches>0</output_matches>
<message>Hope you caught with Snort.</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( Failed to scan the web server (<%= $web_server_ip %>)</message>
</condition>
<else_condition>
<message>Ok...</message>
</else_condition>
<quiz>
<question>Was that a scan or an attack?</question>
<answer>^scan$</answer>
<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
<tutorial><%= ERB.new(File.read self.templates_path + 'snort.md.erb').result(self.get_binding) %></tutorial>
</attack>
<attack>
<get_shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</get_shell>
<post_command>whoami >> out;id >> out;touch hackerbotwashere; echo $?</post_command>
<prompt>#4 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network... This make take a while (a few minutes) please be patient.</prompt>
<condition>
<output_matches>0</output_matches>
<message>Hope you caught that.</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( Failed to contact the web server (<%= $web_server_ip %>)</message>
</condition>
<else_condition>
<message>:( Something was not right...</message>
</else_condition>
<quiz>
<question>What user did the attacker get access to?</question>
<answer>^distccd</answer>
<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
</attack>
<attack>
<pre_shell>nmap -sX <%= $web_server_ip %> > /dev/null; echo $? </pre_shell>
<shell>false</shell>
<post_command></post_command>
<prompt>#5 Your webserver is about to be scanned/attacked. Make sure you are using Snort to monitor your network...</prompt>
<condition>
<output_matches>0</output_matches>
<message>Hope you caught that.</message>
<trigger_quiz />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( Failed to scan the web server (<%= $web_server_ip %>)</message>
</condition>
<else_condition>
<message>Ok...</message>
</else_condition>
<quiz>
<question>Was that a scan or an attack?</question>
<answer>^scan$</answer>
<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>
<tutorial><%= ERB.new(File.read self.templates_path + 'snort.md.erb').result(self.get_binding) %></tutorial>
</attack>
<attack>
<shell>msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"</shell>
<post_command>whoami > /dev/null; echo "<%= $flags.pop %>" > /dev/null; echo 'Find the flag! (in the network traffic)'</post_command>
<prompt>#6 Your webserver is about to be scanned/attacked. Use Tcpdump and/or Wireshark to view the behaviour of the attacker. There is a flag to be found over the wire. </prompt>
<condition>
<output_matches>0</output_matches>
<message>Hope you caught that.</message>
<trigger_next_attack />
</condition>
<condition>
<output_matches>1</output_matches>
<message>:( Failed to contact the web server (<%= $web_server_ip %>)</message>
</condition>
<else_condition>
<message>:( Something was not right...</message>
</else_condition>
</attack>
<!--<attack>-->
<!--&lt;!&ndash;shell on the backup server&ndash;&gt;-->
<!--<get_shell>sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> /bin/bash</get_shell>-->
<!--&lt;!&ndash; topic: Rsync&ndash;&gt;-->
<!--<prompt>It's your job to set up remote backups for <%= $second_user %> (a user on your system). Use rsync to create a full (epoch) remote backup of /home/<%= $second_user %> from your desktop system to the backup_server: <%= $web_server_ip %>:/home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>.</prompt>-->
<!--<post_command>ls /home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>/<%= $files.sample %> > /dev/null; echo $?</post_command>-->
<!--<condition>-->
<!--<output_matches>0</output_matches>-->
<!--<message>:) Well done! <%= $flags.pop %></message>-->
<!--<trigger_next_attack>true</trigger_next_attack>-->
<!--</condition>-->
<!--<condition>-->
<!--<output_matches>No such file or directory</output_matches>-->
<!--<message>:( You didn't copy to remote ssh /home/<%= $main_user %>/remote-rsync-full-backup/<%= $second_user %>/ Remember that the trailing / changes whether you are copying directories or their contents...</message>-->
<!--</condition>-->
<!--<else_condition>-->
<!--<message>:( Doesn't look like you have backed up all of <%= $second_user %>'s files to /home/<%= $main_user %>/remote-rsync-backup/<%= $second_user %>. Try SSHing to the server and look at what you have backed up there.</message>-->
<!--</else_condition>-->
<!--<tutorial><%= ERB.new(File.read self.templates_path + 'write_snort_rules.md.erb').result(self.get_binding) %></tutorial>-->
<!--</attack>-->
</hackerbot>

121
modules/generators/structured_content/hackerbot_config/ids/templates/labsheet.html.erb Normal file
View File

@@ -0,0 +1,121 @@
<html>
<head>
<title><%= self.title %></title>
</head>
<body>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="css/github-markdown.css">
<style>
.markdown-body {
box-sizing: border-box;
min-width: 200px;
max-width: 980px;
margin: 0 auto;
padding: 45px;
}
.markdown-body h4[id^='hackerbot']:after {
display: inline-block;
float: right;
content: url("images/skullandusb.svg");
width: 30px;
}
article {
float: right;
width: calc(100% - 300px);
}
.toc {
float: left;
font-size: smaller;
color: #1a1d22;
width: 300px;
position: fixed;
height: calc(100% - 56px);
overflow-y: scroll;
font-family: sans-serif;
margin-top: 50px;
}
.toc ul {
list-style-type: none;
padding: 0;
margin-left: 1em;
}
.toc li { /* Space between menu items*/
margin: 1em 0;
}
.toc a {
color: #1a1d22;
text-decoration: none;
}
.toc a:hover {
color: #6c036d;
text-decoration: none;
}
.toc a:visited {
color: #1a1d22;
text-decoration: none;
}
.markdown-body pre {
background-color: #570138;
color: whitesmoke;
}
.markdown-body p code span {
color: black !important;
}
.markdown-body p code {
background-color: whitesmoke;
border: 1px solid #eaecef;
}
.markdown-body img[alt="small-left"] {
max-width: 100px;
float: left;
}
.markdown-body img[alt="small-right"] {
max-width: 100px;
float: right;
}
.markdown-body img[alt="tiny-right"] {
max-width: 30px;
float: right;
}
.markdown-body img[alt="small"] {
max-width: 100px;
display: block;
margin-left: auto;
margin-right: auto;
padding: 15px;
}
mark {
background-color: white;
color: #5b29bd;
font-weight: bolder;
}
@media (max-width: 767px) {
.markdown-body {
padding: 15px;
min-width: 200px;
max-width: 980px;
}
.toc {
float: none;
width: 100%;
position: relative;
overflow: auto;
height: auto;
}
article {
float: none;
width: 100%;
}
}
</style>
<div class="toc">
<%= self.html_TOC_rendered %>
</div>
<article class="markdown-body">
<%= self.html_rendered %>
</article>
<script src="js/code-prettify/loader/run_prettify.js?autoload=true&amp;skin=sunburst&amp;lang=css"></script>
</body>
</html>

6
modules/generators/structured_content/hackerbot_config/ids/templates/license.md.erb Normal file
View File

@@ -0,0 +1,6 @@
## License
This lab by [*Z. Cliffe Schreuders*](http://z.cliffe.schreuders.org) at Leeds Beckett University is licensed under a [*Creative Commons Attribution-ShareAlike 3.0 Unported License*](http://creativecommons.org/licenses/by-sa/3.0/deed.en_GB).
Included software source code is also licensed under the GNU General Public License, either version 3 of the License, or (at your option) any later version.
![small](images/leedsbeckett-logo.png)

3
modules/generators/structured_content/hackerbot_config/ids/templates/resources.md.erb Normal file
View File

@@ -0,0 +1,3 @@
## Resources
Martin Roesch (n.d.) **Chapter 2:** Writing Snort Rules - How to Write Snort Rules and Keep Your Sanity. In: *Snort Users Manual*. Available from: &lt;[*http://www.snort.org.br/documentacao/SnortUsersManual.pdf*](http://www.snort.org.br/documentacao/SnortUsersManual.pdf)&gt;

144
modules/generators/structured_content/hackerbot_config/ids/templates/snort.md.erb Normal file
View File

@@ -0,0 +1,144 @@
## Intrusion detection system (IDS) monitoring basics
Continuing **on the ids_server VM:**
==Make a backup== of the snort's configuration file in case anything goes wrong:
```bash
sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.bak
```
==Change Snort's output== to something more readable:
```bash
sudo vi /etc/snort/snort.conf
```
> (Remember: editing using vi involves pressing "i" to insert/edit text, then *Esc*,
> ":wq" to write changes and quit)
==Add the following line:==
`output alert_fast`
==Change Snort's interface== to eth1 (or as you identified earlier), and set the local network to your IP address range (or "any"):
```bash
sudo vi /etc/snort/snort.debian.conf
```
> Set the interface and HOME network range, and exit vi (Esc, ":wq").
==Start Snort:==
```bash
sudo service snort stop
sudo service snort start
```
> Using "reload" or "restart" may not update the interface.
Snort should now be running, monitoring network traffic for activity.
==Have a chat with Hackerbot== (**from the desktop VM**).
This should trigger an alert from Snort, which is stored in an alerts log file.
**From the ids_server**, ==follow the Snort alert log== file by running (you may like to do this from a new tab):
```bash
sudo tail -f /var/log/snort/alert
```
>The tail program will wait for new alerts to be written to the file, and will display them as they are logged.
==Do an nmap port scan of the web_server== VM (from the desktop VM):
```bash
nmap <%= $web_server_ip %>
```
This should trigger another alert.
==LogBook question: Does the log match what happened? Are there any false positives (alerts that describe things that did not actually happen)?==
Try another type of port scan, such as an ==Xmas Tree scan from the desktop== VM (Hint: `man nmap`).
Press Ctrl-C to ==stop the alert tail process==, if it did not do so automatically.
The Snort configuration file is also configured to output a "tcpdump" formatted network capture. (`output log_tcpdump: tcpdump.log`)
Then run the following command to ==view the contents of the log:==
```bash
sudo ls /var/log/snort/
sudo tcpdump -r /var/log/snort/tcpdump.log.XXXXX
```
> Where XXXXX is one of the logs shown from the first command.
You can use tcpdump's various flags to change the way it is displayed, or you could even open the logged network activity in Wireshark.
##Configuring Snort
**On the ids_server**, ==edit /etc/snort/snort.conf==; for example:
```bash
vi /etc/snort/snort.conf
```
> (Remember: editing using vi involves pressing "i" to insert/edit text, then *Esc*, ":wq" to write changes and quit)
Scroll through the config file and, take notice of these details:
- In a production environment you would configure Snort to to correctly identify which traffic is considered LAN traffic, and which IP addresses are known to run various servers (this is also configured in snort.debian.conf). In this case, we will leave these settings as is.
- Note the line "`var RULE_PATH /etc/snort/rules`": this is where the IDS signatures are stored.
- Note the presence of a Back Orifice detector preprocessor "bo". Back Orifice was a Windows Trojan horse that was popular in the 90s.
- Note the "sfportscan" preprocessor (is it enabled?), which can detect various kinds of port scans.
- The "arpspoof" preprocessor is described as experimental, and is not enabled by default.
- Towards the end of the config file are "include" lines, which specify which of the rule files in RULE\_PATH are in effect. As is common, lines beginning with "\#" are ignored, which is used to list disabled rule files. There are rule files for detecting known exploits, attacks against services such as DNS and FTP, denial of service (DoS) attacks, and so on.
Add the following line below the other include rules (at the end of the file):
`include $RULE_PATH/my.rules`
Save your changes to snort.conf
> (For example, in vi, press Esc, then type ":wq").
> Hint: you may find it easier to use Esc, then type ":w" to write your changes to disk and then type ":q" to exit (or "x" shorthand for "wq").
Run this command, to ==create your new rule file:==
```bash
sudo touch /etc/snort/rules/my.rules
```
==Edit the file.== For example:
```bash
sudo vi /etc/snort/rules/my.rules
```
==Add this line (*with your own name*), and save your changes:==
`alert icmp any any ->any any (msg: "*Your-name*: ICMP Packet found"; sid:1000000; rev:1;)`
> For example, `alert icmp any any -> any any (msg: "**Cliffe**: ICMP Packet found"; sid:1000000; rev:1;)`
Now that you have new rules, tell Snort to ==reload its configuration:==
```bash
sudo service snort stop
sudo service snort start
```
> If after attempting a reload, Snort fails to start, then you have probably made a configuration mistake, so check the log for details by running: `tail /var/log/syslog`
Due to the new rule you have just applied, sending a simple ICMP Ping (typically used to troubleshoot connectivity) will trigger a Snort alert.
Try it, **from the desktop** VM, ==ping the web_server:==
```bash
ping <%= $web_server_ip %>
```
Check for the Snort alert. You should see that the ping was detected, and our new message was added to the alerts log file.

116
modules/generators/structured_content/hackerbot_config/ids/templates/tcpdump.md.erb Normal file
View File

@@ -0,0 +1,116 @@
### Tcpdump
This section gives a quick overview of the basics of network monitoring, using tools such as Tcpdump and Wireshark. Keep in mind that these are important foundations, and we will quickly build on these.
**From your ids_server VM.** (==Login to the ids_server VM==)
To view live network traffic, ==start tcpdump on the ids_server:==
First, identify the network interface card (nic) to use:
```bash
ip -4 -o a s | grep <%= $ids_server_ip %>
```
> The "ip a s" command lists all local IP addresses, and -4 filters to only show IPv4, while -o sets one-line output mode
```bash
sudo tcpdump -i eth1
```
> Where **eth1**, is the name of the interface given in response to the above command.
With tcpdump still running, **from the desktop VM** ==perform a ping to the ids_server VM.==
```bash
ping <%= $ids_server_ip %>
```
> Run the above from the desktop VM.
> Note that Tcpdump displays the network activity taking place, including the pings, and various TCP connections and ARP requests. Depending on your environment you might also be seeing the traffic between various other VMs.
==Stop the ping== with Ctrl-C.
The IDS server has a network card interface that can enter promiscuous mode, meaning that it can view traffic destined to other systems on the network. (Without entering promiscuous mode a computer would only view the traffic destined for itself.)
Test this, **from the desktop** ==ping the web_server==:
```bash
ping <%= $web_server_ip %>
```
> If your network is configured correctly, from the Tcpdump running on the ids_server you should see the pings between these separate VMs (the desktop, and the web_server). Take the time to confirm that this is working. If it is not showing this traffic, but did show the last output, you need to configure the ids_server to be able to view the network traffic.
Once you have seen tcpdump in action displaying these packets ==press Ctrl-C to exit.==
Tcpdump can format the output in various ways, showing various levels of detail.
**From the ids_server**, ==run:==
```bash
sudo tcpdump -A -i eth1
```
> This shows the packet **content** without the information about the source and destination.
When you ==access a web page in a browser on the desktop VM== (go ahead... ==reload this labsheet== webpage), Tcpdump will display the content, so long as the traffic is not SSL encrypted (for example, so long as the URL doesn't start with http**s**://). Depending on the webserver and browser, the content may be compressed (but not encrypted) to save bandwidth.
**From the desktop VM**, use command line tools to ==view the labsheet and webserver pages:==
```bash
curl <%= $web_server_ip %>
curl <%= $hackerbot_server_ip %>
```
==Ping the web_server again== and observe the output.
Stop tcpdump (Ctrl-C) on the ids_server VM once you have observed the output.
==Run the following== command **on the ids_server:**
```bash
sudo tcpdump -v -i eth1
```
> The above is even more verbose, showing lots of detail about the network traffic.
Now try the ==above again==. Note the very detailed output.
It is possible to write tcpdump network traffic to storage, so that it can be analysed later:
```bash
sudo tcpdump -w /tmp/tcpdump-output -i eth1
```
While that is running, ==access a web page from Firefox on the desktop VM== browse to ==[*http://<%= $web_server_ip %>*](http://<%= $web_server_ip %>)== (In a new tab.)
Then ==close tcpdump== (Ctrl-C).
To view the file containing the tcpdump output on the ids_server VM type:
```bash
less /tmp/tcpdump-output
```
> (Press "y" to see the output if you are warned that it may be a binary file)
> You should be able to PageUp and PageDown through the file.
> Press "Q" to quit when ready
Run `man tcpdump` and read about the many options for output and filtering.
### Tcpdump filtering and Wireshark
We can also use tcpdump to do some simple monitoring of the network traffic to detect certain key words.
**On the ids_server**, ==run:==
```bash
kdesudo wireshark &
sudo tcpdump -A -i eth1 | grep "GET"
```
> For this exercise you can ignore the warning about running Wireshark as root, or read online to learn to use setcap to grant Wireshark more specific privileges.
In Wireshark, choose the network interface card (such as eth1) then click the green start icon, to ==start monitoring traffic==. Generate some traffic and explore how to ==view it using Wireshark==.
You can also open the captured network traffic in Wireshark.
Open a web browser **on the desktop VM**, and visit [*http://<%= $web_server_ip %>*](http://<%= $web_server_ip %>), note that tcpdump captures *most* network content, and grep can be used to filter it down to lines that are interesting to us.
Note that making sense of this information using tcpdump and/or Wireshark is possible (and is a common sys-admin task), but the output is too noisy to be constantly and effectively monitored by a human to detect security incidents. Therefore we can use an IDS such as Snort to monitor and analyse the network traffic to detect activity that it is configured to alert.
Make sure tcpdump is stopped (Ctrl-C).

116
modules/generators/structured_content/hackerbot_config/ids/templates/write_snort_rules.md.erb Normal file
View File

@@ -0,0 +1,116 @@
## Writing your own Snort rules
Snort is predominantly designed as a signature-based IDS. Snort monitors the network for matches to rules that indicate activity that should trigger an alert. You have now seen Snort detect a few types of activity, and have added a rule to detect ICMP packets. Next you will apply more complicated rules, and create your own.
You may find external reference guides to writing Snort rules helpful. See the resources section below, and Google may come in handy.
In general, rules are defined on one line (although, they can break over lines by using `\`), and take the form of:
**header (body)**
where header = "**action** (log,alert) **protocol** (ip,tcp,udp,icmp,any) **source_IP** **source_port** **direction** (-&gt;,&lt;&gt;) **destination_IP** **destination_port**"
> for example: `alert tcp any any -> any any` to make an alert for all TCP traffic, or `alert tcp any any -> 192.168.0.1 23` to make an alert for connections to telnet on the given IP address
and body = "**option; option: "parameter"; ...**"
The most common options are:
> `msg: "message to display"`
and, to search the packet's content:
> `content: "some text to search for"`
To set the type of alert:
> `classtype:misc-attack`
>
> (where *misc-attack* is defined in `/etc/snort/classification.conf`)
To give a unique identifier and revision version number:
> `sid:1000001; rev:1`
So for example the body could be:
> `msg: "user login attempt"; content: "user"; classtype:attempted-user; sid:1000001; rev:1;`
And bringing all this together a Snort rule could read:
> `alert tcp any any -> 192.168.0.1 110 (msg: "Email login attempt"; content: "user"; classtype:attempted-user; sid:1000001; rev:1;)`
This rule looks at packets destined for 192.168.0.1 on the pop3 Email port (110), and sends an alert if the content contains the "user" command (which is used to log on to check email). Note that this rule is imperfect as it is, since it is case sensitive.
There are lots more options that can make rules more precise and efficient. For example, making them case insensitive, or starting to search content after an offset. Feel free to do some reading, to help you to create better IDS rules.
==Figure out how the rule could be improved to be case insensitive.==
==Browse the existing rules in `/etc/snort/rules` and figure out how at least two of them work.==
Lets create a basic rule that detects any web traffic on port 80.
```bash
echo "alert tcp any any -> any 80 (msg: "Web traffic detected - RANDOM"; sid:1000002; rev:1;)" >> /etc/snort/rules/my.rules
systemctl restart snort
```
Browse to a website, and confirm the rule worked to generate an alert containing RANDOM.
# TODO RANDOM
# HACKERBOT ATTACKS
Add a rule to detect any attempt to connect to a Telnet server, the output message must include "- RANDOM". Connections to a Telnet server could be a security issue, since logging into a networked computer using Telnet is known to be insecure because traffic is not encrypted. Don't forget to reload Snort!
Once you have saved your rule and reloaded Snort, test this rule by using Telnet. Rather than starting an actual Telnet server (unless you want to do so), you can simulate this by using Netcat to listen on the Telnet port, then connect with Telnet from the desktop VM.
On a terminal on the Kali Linux VM:
```bash
netcat -l -p 23
```
Leaving that running, and on a terminal on the openSUSE VM:
```bash
telnet localhost
```
Type "hello"
##TODO
Create a rule that only triggers on loading the Webserver's homepage (http://<%= $web_server_ip %>). Don't forget to reload Snort.
---
Create a rule that triggers on the
##TODO
Create a Snort rule that detects visits to the Leeds Beckett website from the Kali VM, but does not get triggered by general web browsing.
Hints:
> Look at some of the existing Snort rules for detecting Web sites, such as those in /etc/snort/rules/community-inappropriate.rules
> In the IMS labs or when using oVirt, you are likely using the proxy to access the web, so you will need to approach your rules a little differently, you may find you need to change the port you are listening to. Look at the output of tcpdump -A when you access a web page, what does the traffic contain that may point to what is being accessed? Have a look through the output of tcpdump for the text "Host".
As before, include your name in the alert message.
##TODO
Setup Snort as an intrusion *prevention* system (IPS): on the Kali VM so that it can actually deny traffic, and demonstrate with a rule. You may wish to extend the Leeds Beckett website rule, so that all attempts to access the website are denied by Snort.
# write a rule that detects
"Top secret"
Randomly specified content
Randomly generated content (requires network monitoring)
attacks
random port number (by service name?)

4
modules/generators/structured_content/hackerbot_config/integrity_protection/templates/file_permissions.md.erb
View File

@@ -63,10 +63,10 @@ You can't.
You can remove the ability of **everyone else** changing the content. ==Run:==
```bash
chmod u+w,o-rw /home/<%= $main_user %>/example
chmod u+w,go-rw /home/<%= $main_user %>/example
```
> u+w: user who owns the file, add write access
> o-rw: others, remove read and write access
> go-rw: group and others, remove read and write access
You can view the file permissions with:

3
modules/services/unix/ftp/proftpd/manifests/configure.pp
View File

@@ -1,5 +1,6 @@
class proftpd::configure {
$json_inputs = base64('decode', $::base64_inputs)
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
file { '/etc/proftpd/proftpd.conf':
notify => Service['proftpd'],
ensure => present,

3
modules/services/unix/ftp/proftpd/templates/proftpd.erb
View File

@@ -1,5 +1,4 @@
<% require 'json'
$secgen_parameters = JSON.parse(@json_inputs)
<%
$port = $secgen_parameters['port'].first
%>
#

6
modules/services/unix/http/apache/secgen_metadata.xml
View File

@@ -3,7 +3,8 @@
<service xmlns="http://www.github/cliffe/SecGen/service"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/service">
<name>Apache HTTP Server</name>
<name>Apache HTTP Server - Kali Compatible</name>
<author>Z. Cliffe Schreuders</author>
<author>Connor Wilson</author>
<author>Puppet Labs</author>
<module_license>Apache v2</module_license>
@@ -22,6 +23,9 @@
<conflict>
<software_name>apache</software_name>
</conflict>
<conflict>
<name>Wheezy</name>
</conflict>
<requires>
<type>update</type>
</requires>

2
modules/services/unix/http/apache_bash_cgi/secgen_metadata.xml
View File

@@ -8,7 +8,7 @@
<module_license>MIT</module_license>
<description>Hosts a bash CGI script on a default apache installation.</description>
<type>httpd</type>
<type>http_bash</type>
<platform>unix</platform>
<reference>https://httpd.apache.org/</reference>

816
modules/services/unix/http/apache_wheezy/CHANGELOG.md Normal file
View File

@@ -0,0 +1,816 @@
## Supported Release 1.11.0
#### Summary
This release adds SLES12 Support and many more features and bugfixes.
#### Features
- (MODULES-4049) Adds SLES 12 Support
- Adds additional directories options for LDAP Auth
- `auth_ldap_url`
- `auth_ldap_bind_dn`
- `auth_ldap_bind_password`
- `auth_ldap_group_attribute`
- `auth_ldap_group_attribute_is_dn`
- Allows `mod_event` parameters to be unset
- Allows management of default root directory access rights
- Adds class `apache::vhosts` to create apache::vhost resources
- Adds class `apache::mod::proxy_wstunnel`
- Adds class `apache::mod::dumpio`
- Adds class `apache::mod::socache_shmcb`
- Adds class `apache::mod::authn_dbd`
- Adds support for apache 2.4 on Amazon Linux
- Support the newer `mod_auth_cas` config options
- Adds `wsgi_script_aliases_match` parameter to `apache::vhost`
- Allow to override all SecDefaultAction attributes
- Add audit_log_relevant_status parameter to apache::mod::security
- Allow absolute path to $apache::mod::security::activated_rules
- Allow setting SecAuditLog
- Adds `passenger_max_instances_per_app` to `mod::passenger`
- Allow the proxy_via setting to be configured
- Allow no_proxy_uris to be used within proxy_pass
- Add rpaf.conf template parameter to `mod::rpaf`
- Allow user to specify alternative package and library names for shibboleth module
- Allows configuration of shibboleth lib path
- Adds parameter `passenger_data_buffer_dir` to `mod::passenger`
- Adds SSL stapling
- Allows use of `balance_manager` with `mod_proxy_balancer`
- Raises lower bound of `stdlib` dependency to version 4.2
- Adds support for Passenger repo on Amazon Linux
- Add ability to set SSLStaplingReturnResponderErrors on server level
- (MODULES-4213) Allow global rewrite rules inheritance in vhosts
- Moves `mod_env` to its own class and load it when required
#### Bugfixes
- Deny access to .ht and .hg, which are created by mercurial hg.
- Instead of failing, include apache::mod::prefork in manifests/mod/itk.pp instead.
- Only set SSLCompression when it is set to true.
- Remove duplicate shib2 hash element
- (MODULES-3388) Include mpm_module classes instead of class declaration
- Updates `apache::balancer` to respect `apache::confd_dir`
- Wrap mod_security directives in an IfModule
- Fixes to various mods for Ubuntu Xenial
- Fix /etc/modsecurity perms to match package
- Fix PassengerRoot under Debian stretch
- (MODULES-3476) Updates regex in apache_version custom fact to work with EL5
- Dont sql_injection_attacks.data
- Add force option to confd file resource to purge directory without warnings
- Patch httpoxy through mod_security
- Fixes config ordering of IncludeOptional
- Fixes bug where port numbers were unquoted
- Fixes bug where empty servername for vhost were written to template
- Auto-load `slotmem_shm` and `lbmethod_byrequests` with `proxy_balancer` on 2.4
- Simplify MPM setup on FreeBSD
- Adds requirement for httpd package
- Do not set ssl_certs_dir on FreeBSD
- Fixes bug that produces a duplicate `Listen 443` after a package update on EL7
- Fixes bug where custom facts break structured facts
- Avoid relative classname inclusion
- Fixes a failure in `vhost` if the first element of `$rewrites` is not a hash
- (MODULES-3744) Process $crs_package before $modsec_dir
- (MODULES-1491) Adds `::apache` include to mods that need it
## Supported Release 1.10.0
#### Summary
This release fixes backwards compatibility bugs introduced in 1.9.0. Also includes a new mod class and a new vhost feature.
#### Features
- Allow setting KeepAlive related options per vhost
- `apache::vhost::keepalive`
- `apache::vhost::keepalive_timeout`
- `apache::vhost::max_keepalive_requests`
- Adds new class `apache::mod::cluster`
#### Bugfixes
- MODULES-2890: Allow php_version != 5
- MODULES-2890: mod::php: Explicit test on jessie
- MODULES-2890: Fix PHP on Debian stretch and Ubuntu Xenial
- MODULES-2890: Fix mod_php SetHandler and cleanup
- Fixed trailing slash in lib_path on Suse
- Revert "MODULES-2956: Enable options within location block on proxy_match". Bug introduced in release 1.9.0.
- Revert "changed rpaf Configuration Directives: RPAF -> RPAF_". Bug introduced in release 1.9.0.
- Set actual path to apachectl on FreeBSD. Fixes snippets verification.
## Supported Release 1.9.0 [DELETED]
#### Features
- Added `apache_version` fact
- Added `apache::balancer::target` attribute
- Added `apache::fastcgi::server::pass_header` attribute
- Added ability for `apache::fastcgi::server::host` using sockets
- Added `apache::root_directory_options` attribute
- Added for `apache::mod::ldap`:
- `ldap_shared_cache_size`
- `ldap_cache_entries`
- `ldap_cache_ttl`
- `ldap_opcache_entries`
- `ldap_opcache_ttl`
- Added `apache::mod::pagespeed::package_ensure` attribute
- Added `apache::mod::passenger` attributes:
- `passenger_log_level`
- `manage_repo`
- Added upstream repo for `apache::mod::passenger`
- Added `apache::mod::proxy_fcgi` class
- Added `apache::mod::security` attributes:
- `audit_log_parts`
- `secpcrematchlimit`
- `secpcrematchlimitrecursion`
- `secdefaultaction`
- `anomaly_score_blocking`
- `inbound_anomaly_threshold`
- `outbound_anomaly_threshold`
- Added `apache::mod::ssl` attributes:
- `ssl_mutex`
- `apache_version`
- Added ubuntu 16.04 support
- Added `apache::mod::authnz_ldap::package_name` attribute
- Added `apache::mod::ldap::package_name` attribute
- Added `apache::mod::proxy::package_name` attribute
- Added `apache::vhost` attributes:
- `ssl_proxy_check_peen_expire`
- `ssl_proxy_protocol`
- `logroot_owner`
- `logroot_group`
- `setenvifnocase`
- `passenger_user`
- `passenger_high_performance`
- `jk_mounts`
- `fastcgi_idle_timeout`
- `modsec_disable_msgs`
- `modsec_disable_tags`
- Added ability for 2.4-style `RequireAll|RequireNone|RequireAny` directory permissions
- Added ability for includes in vhost directory
- Added directory values:
- `AuthMerging`
- `MellonSPMetadataFile`
- Adds Configurability of Collaborative Detection Severity Levels for OWASP Core Rule Set to `apache::mod::security` class
- `critical_anomaly_score`
- `error_anomaly_score`
- `warning_anomaly_score`
- `notice_anomaly_score`
- Adds ability to configure `info_path` in `apache::mod::info` class
- Adds ability to configure `verify_config` in `apache::vhost::custom`
#### Bugfixes
- Fixed apache mod setup for event/worker failing syntax
- Fixed concat deprecation warnings
- Fixed pagespeed mod
- Fixed service restart on mod update
- Fixed mod dir purging to happen after package installs
- Fixed various `apache::mod::*` file modes
- Fixed `apache::mod::authnz_ldap` parameter `verifyServerCert` to be `verify_server_cert`
- Fixed loadfile name in `apache::mod::fcgid`
- Fixed `apache::mod::remoteip` to fail on apache < 2.4 (because it is not available)
- Fixed `apache::mod::ssl::ssl_honorcipherorder` interpolation
- Lint fixes
- Strict variable fixes
- Fixed `apache::vhost` attribute `redirectmatch_status` to be optional
- Fixed SSLv3 on by default in mod\_nss
- Fixed mod\_rpaf directive names in template
- Fixed mod\_worker needing MaxClients with ThreadLimit
- Fixed quoting on vhost php\_value
- Fixed xml2enc for proxy\_html on debian
- Fixed a problem where the apache service restarts too fast
## Supported Release 1.8.1
### Summary
This release includes bug fixes and a documentation update.
#### Bugfixes
- Fixes a bug that occurs when using the module in combination with puppetlabs-concat 2.x.
- Fixes a bug where passenger.conf was vulnerable to purging.
- Removes the pin of the concat module dependency.
## 2016-01-26 - Supported Release 1.8.0
### Summary
This release includes a lot of bug fixes and feature updates, including support for Debian 8, as well as many test improvements.
#### Features
- Debian 8 Support.
- Added the 'file_mode' property to allow a custom permission setting for config files.
- Enable 'PassengerMaxRequestQueueSize' to be set for mod_passenger.
- MODULES-2956: Enable options within location block on proxy_match.
- Support itk on redhat.
- Support the mod_ssl SSLProxyVerify directive.
- Support ProxPassReverseCookieDomain directive (mod_proxy).
- Support proxy provider for vhost directories.
- Added new 'apache::vhost::custom' resource.
#### Bugfixes
- Fixed ProxyPassReverse configuration.
- Fixed error in Amazon operatingsystem detection.
- Fixed mod_security catalog ordering issues for RedHat 7.
- Fixed paths and packages for the shib2 apache module on Debian pre Jessie.
- Fixed EL7 directory path for apache modules.
- Fixed validation error when empty array is passed for the rewrites parameter.
- Idempotency fixes with regards to '::apache::mod_enable_dir'.
- ITK fixes.
- (MODULES-2865) fix $mpm_module logic for 'false'.
- Set SSLProxy directives even if ssl is false, due to issue with RewriteRules and ProxyPass directives.
- Enable setting LimitRequestFieldSize globally, and remove it from vhost.
#### Improvements
- apache::mod::php now uses FilesMatch to configure the php handler. This is following the recommended upstream configuration guidelines (http://php.net/manual/en/install.unix.apache2.php#example-20) and distribution's default config (e.g.: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/php5/vivid/view/head:/debian/php5.conf). It avoids inadvertently exposing the PHP handler to executing uploads with names like 'file.php.jpg', but might impact setups with unusual requirements.
- Improved compatibility for Gentoo.
- Vhosts can now be supplied with a wildcard listen value.
- Numerous test improvements.
- Removed workarounds for https://bz.apache.org/bugzilla/show_bug.cgi?id=38864 as the issues have been fixed in Apache.
- Documentation updates.
- Ensureed order of ProxyPass and ProxyPassMatch parameters.
- Ensure that ProxyPreserveHost is set to off mode explicitly if not set in manifest.
- Put headers and request headers before proxy with regards to template generation.
- Added X-Forwarded-For into log_formats defaults.
- (MODULES-2703) Allow mod pagespeed to take an array of lines as additional_configuration.
## Supported Release 1.7.1
###Summary
Small release for support of newer PE versions. This increments the version of PE in the metadata.json file.
## 2015-11-17 - Supported Release 1.7.0
### Summary
This release includes many new features and bugfixes. There are test, documentation and misc improvements.
#### Features
- allow groups with - like vhost-users
- ability to enable/disable the secruleengine through a parameter
- add mod_auth_kerb parameters to vhost
- client auth for reverse proxy
- support for mod_auth_mellon
- change SSLProtocol in apache::vhost to be space separated
- RewriteLock support
#### Bugfixes
- fix apache::mod::cgid so it can be used with the event MPM
- load unixd before fcgid on all operating systems
- fixes conditional in vhost aliases
- corrects mod_cgid worker/event defaults
- ProxyPassMatch parameters were ending up on a newline
- catch that mod_authz_default has been removed in Apache 2.4
- mod::ssl fails on SLES
- fix typo of MPM_PREFORK for FreeBSD package install
- install all modules before adding custom configs
- fix acceptance testing for SSLProtocol behaviour for real
- fix ordering issue with conf_file and ports_file
#### Known Issues
- mod_passenger is having issues installing on Redhat/Centos 6, This is due to package dependency issues.
#### Improvements
- added docs for forcetype directive
- removes ruby 1.8.7 from the travisci test matrix
- readme reorganisation, minor fixups
- support the mod_proxy ProxyPassReverseCookiePath directive
- the purge_vhost_configs parameter is actually called purge_vhost_dir
- add ListenBacklog for mod worker
- deflate application/json by default
- install mod_authn_alias as default mod in debian for apache < 2.4
- optionally set LimitRequestFieldSize on an apache::vhost
- add SecUploadDir parameter to support file uploads with mod_security
- optionally set parameters for mod_ext_filter module
- allow SetOutputFilter to be set on a directory
- RC4 is deprecated
- allow empty docroot
- add option to configure the include pattern for the vhost_enable dir
- allow multiple IP addresses per vhost
- default document root update for Ubuntu 14.04 and Debian 8
## 2015-07-28 - Supported Release 1.6.0
### Summary
This release includes a couple of new features, along with test and documentation updates, and support for the latest AIO puppet builds.
#### Features
- Add `scan_proxy_header_field` parameter to `apache::mod::geoip`
- Add `ssl_openssl_conf_cmd` parameter to `apache::vhost` and `apache::mod::ssl`
- Add `filters` parameter to `apache::vhost`
#### Bugfixes
- Test updates
- Do not use systemd on Amazon Linux
- Add missing docs for `timeout` parameter (MODULES-2148)
## 2015-06-11 - Supported Release 1.5.0
### Summary
This release primarily adds Suse compatibility. It also adds a handful of other
parameters for greater configuration control.
#### Features
- Add `apache::lib_path` parameter
- Add `apache::service_restart` parameter
- Add `apache::vhost::geoip_enable` parameter
- Add `apache::mod::geoip` class
- Add `apache::mod::remoteip` class
- Add parameters to `apache::mod::expires` class
- Add `index_style_sheet` handling to `apache::vhost::directories`
- Add some compatibility for SLES 11
- Add `apache::mod::ssl::ssl_sessioncachetimeout` parameter
- Add `apache::mod::ssl::ssl_cryptodevice` parameter
- Add `apache::mod::ssl::ssl_honorcipherorder` parameter
- Add `apache::mod::userdir::options` parameter
#### Bugfixes
- Document `apache::user` parameter
- Document `apache::group` parameter
- Fix apache::dev on FreeBSD
- Fix proxy\_connect on apache >= 2.2
- Validate log levels better
- Fix `apache::apache_name` for package and vhost
- Fix Debian Jessie mod\_prefork package name
- Fix alias module being declared even when vhost is absent
- Fix proxy\_pass\_match handling in vhost's proxy template
- Fix userdir access permissions
- Fix issue where the module was trying to use systemd on Amazon Linux.
## 2015-04-28 - Supported Release 1.4.1
This release corrects a metadata issue that has been present since release 1.2.0. The refactoring of `apache::vhost` to use `puppetlabs-concat` requires a version of concat newer than the version required in PE. If you are using PE 3.3.0 or earlier you will need to use version 1.1.1 or earlier of the `puppetlabs-apache` module.
## 2015-03-17 - Supported Release 1.4.0
###Summary
This release fixes the issue where the docroot was still managed even if the default vhosts were disabled and has many other features and bugfixes including improved support for 'deny' and 'require' as arrays in the 'directories' parameter under `apache::vhost`
#### Features
- New parameters to `apache`
- `default_charset`
- `default_type`
- New parameters to `apache::vhost`
- `proxy_error_override`
- `passenger_app_env` (MODULES-1776)
- `proxy_dest_match`
- `proxy_dest_reverse_match`
- `proxy_pass_match`
- `no_proxy_uris_match`
- New parameters to `apache::mod::passenger`
- `passenger_app_env`
- `passenger_min_instances`
- New parameter to `apache::mod::alias`
- `icons_options`
- New classes added under `apache::mod::*`
- `authn_file`
- `authz_default`
- `authz_user`
- Added support for 'deny' as an array in 'directories' under `apache::vhost`
- Added support for RewriteMap
- Improved support for FreeBSD. (Note: If using apache < 2.4.12, see the discussion [here](https://github.com/puppetlabs/puppetlabs-apache/pull/1030))
- Added check for deprecated options in directories and fail when they are unsupported
- Added gentoo compatibility
- Added proper array support for `require` in the `directories` parameter in `apache::vhost`
- Added support for `setenv` inside proxy locations
### Bugfixes
- Fix issue in `apache::vhost` that was preventing the scriptalias fragment from being included (MODULES-1784)
- Install required `mod_ldap` package for EL7 (MODULES-1779)
- Change default value of `maxrequestworkers` in `apache::mod::event` to be a multiple of the default `ThreadsPerChild` of 25.
- Use the correct `mod_prefork` package name for trusty and jessie
- Don't manage docroot when default vhosts are disabled
- Ensure resources notify `Class['Apache::Service']` instead of `Service['httpd']` (MODULES-1829)
- Change the loadfile name for `mod_passenger` so `mod_proxy` will load by default before `mod_passenger`
- Remove old Debian work-around that removed `passenger_extra.conf`
## 2015-02-17 - Supported Release 1.3.0
### Summary
This release has many new features and bugfixes, including the ability to optionally not trigger service restarts on config changes.
#### Features
- New parameters - `apache`
- `service_manage`
- `use_optional_includes`
- New parameters - `apache::service`
- `service_manage`
- New parameters - `apache::vhost`
- `access_logs`
- `php_flags`
- `php_values`
- `modsec_disable_vhost`
- `modsec_disable_ids`
- `modsec_disable_ips`
- `modsec_body_limit`
- Improved FreeBSD support
- Add ability to omit priority prefix if `$priority` is set to false
- Add `apache::security::rule_link` define
- Improvements to `apache::mod::*`
- Add `apache::mod::auth_cas` class
- Add `threadlimit`, `listenbacklog`, `maxrequestworkers`, `maxconnectionsperchild` parameters to `apache::mod::event`
- Add `apache::mod::filter` class
- Add `root_group` to `apache::mod::php`
- Add `apache::mod::proxy_connect` class
- Add `apache::mod::security` class
- Add `ssl_pass_phrase_dialog` and `ssl_random_seed_bytes` parameters to `apache::mod::ssl` (MODULES-1719)
- Add `status_path` parameter to `apache::mod::status`
- Add `apache_version` parameter to `apache::mod::version`
- Add `package_name` and `mod_path` parameters to `apache::mod::wsgi` (MODULES-1458)
- Improved SCL support
- Add support for specifying the docroot
- Updated `_directories.erb` to add support for SetEnv
- Support multiple access log directives (MODULES-1382)
- Add passenger support for Debian Jessie
- Add support for not having puppet restart the apache service (MODULES-1559)
#### Bugfixes
- For apache 2.4 `mod_itk` requires `mod_prefork` (MODULES-825)
- Allow SSLCACertificatePath to be unset in `apache::vhost` (MODULES-1457)
- Load fcgid after unixd on RHEL7
- Allow disabling default vhost for Apache 2.4
- Test fixes
- `mod_version` is now built-in (MODULES-1446)
- Sort LogFormats for idempotency
- `allow_encoded_slashes` was omitted from `apache::vhost`
- Fix documentation bug (MODULES-1403, MODULES-1510)
- Sort `wsgi_script_aliases` for idempotency (MODULES-1384)
- lint fixes
- Fix automatic version detection for Debian Jessie
- Fix error docs and icons path for RHEL7-based systems (MODULES-1554)
- Sort php_* hashes for idempotency (MODULES-1680)
- Ensure `mod::setenvif` is included if needed (MODULES-1696)
- Fix indentation in `vhost/_directories.erb` template (MODULES-1688)
- Create symlinks on all distros if `vhost_enable_dir` is specified
## 2014-09-30 - Supported Release 1.2.0
### Summary
This release features many improvements and bugfixes, including several new defines, a reworking of apache::vhost for more extensibility, and many new parameters for more customization. This release also includes improved support for strict variables and the future parser.
#### Features
- Convert apache::vhost to use concat for easier extensions
- Test improvements
- Synchronize files with modulesync
- Strict variable and future parser support
- Added apache::custom_config defined type to allow validation of configs before they are created
- Added bool2httpd function to convert true/false to apache 'On' and 'Off'. Intended for internal use in the module.
- Improved SCL support
- allow overriding of the mod_ssl package name
- Add support for reverse_urls/ProxyPassReverse in apache::vhost
- Add satisfy directive in apache::vhost::directories
- Add apache::fastcgi::server defined type
- New parameters - apache
- allow_encoded_slashes
- apache_name
- conf_dir
- default_ssl_crl_check
- docroot
- logroot_mode
- purge_vhost_dir
- New parameters - apache::vhost
- add_default_charset
- allow_encoded_slashes
- logroot_ensure
- logroot_mode
- manage_docroot
- passenger_app_root
- passenger_min_instances
- passenger_pre_start
- passenger_ruby
- passenger_start_timeout
- proxy_preserve_host
- redirectmatch_dest
- ssl_crl_check
- wsgi_chunked_request
- wsgi_pass_authorization
- Add support for ScriptAlias and ScriptAliasMatch in the apache::vhost::aliases parameter
- Add support for rewrites in the apache::vhost::directories parameter
- If the service_ensure parameter in apache::service is set to anything other than true, false, running, or stopped, ensure will not be passed to the service resource, allowing for the service to not be managed by puppet
- Turn of SSLv3 by default
- Improvements to apache::mod*
- Add restrict_access parameter to apache::mod::info
- Add force_language_priority and language_priority parameters to apache::mod::negotiation
- Add threadlimit parameter to apache::mod::worker
- Add content, template, and source parameters to apache::mod::php
- Add mod_authz_svn support via the authz_svn_enabled parameter in apache::mod::dav_svn
- Add loadfile_name parameter to apache::mod
- Add apache::mod::deflate class
- Add options parameter to apache::mod::fcgid
- Add timeouts parameter to apache::mod::reqtimeout
- Add apache::mod::shib
- Add apache_version parameter to apache::mod::ldap
- Add magic_file parameter to apache::mod::mime_magic
- Add apache_version parameter to apache::mod::pagespeed
- Add passenger_default_ruby parameter to apache::mod::passenger
- Add content, template, and source parameters to apache::mod::php
- Add apache_version parameter to apache::mod::proxy
- Add loadfiles parameter to apache::mod::proxy_html
- Add ssl_protocol and package_name parameters to apache::mod::ssl
- Add apache_version parameter to apache::mod::status
- Add apache_version parameter to apache::mod::userdir
- Add apache::mod::version class
#### Bugfixes
- Set osfamily defaults for wsgi_socket_prefix
- Support multiple balancermembers with the same url
- Validate apache::vhost::custom_fragment
- Add support for itk with mod_php
- Allow apache::vhost::ssl_certs_dir to not be set
- Improved passenger support for Debian
- Improved 2.4 support without mod_access_compat
- Support for more than one 'Allow from'-directive in _directories.erb
- Don't load systemd on Amazon linux based on CentOS6 with apache 2.4
- Fix missing newline in ModPagespeed filter and memcached servers directive
- Use interpolated strings instead of numbers where required by future parser
- Make auth_require take precedence over default with apache 2.4
- Lint fixes
- Set default for php_admin_flags and php_admin_values to be empty hash instead of empty array
- Correct typo in mod::pagespeed
- spec_helper fixes
- Install mod packages before dealing with the configuration
- Use absolute scope to check class definition in apache::mod::php
- Fix dependency loop in apache::vhost
- Properly scope variables in the inline template in apache::balancer
- Documentation clarification, typos, and formatting
- Set apache::mod::ssl::ssl_mutex to default for debian on apache >= 2.4
- Strict variables fixes
- Add authn_core mode to Ubuntu trusty defaults
- Keep default loadfile for authz_svn on Debian
- Remove '.conf' from the site-include regexp for better Ubuntu/Debian support
- Load unixd before fcgid for EL7
- Fix RedirectMatch rules
- Fix misleading error message in apache::version
#### Known Bugs
* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`.
* SLES is unsupported.
## 2014-07-15 - Supported Release 1.1.1
### Summary
This release merely updates metadata.json so the module can be uninstalled and
upgraded via the puppet module command.
## 2014-04-14 Supported Release 1.1.0
### Summary
This release primarily focuses on extending the httpd 2.4 support, tested
through adding RHEL7 and Ubuntu 14.04 support. It also includes Passenger
4 support, as well as several new modules and important bugfixes.
#### Features
- Add support for RHEL7 and Ubuntu 14.04
- More complete apache24 support
- Passenger 4 support
- Add support for max_keepalive_requests and log_formats parameters
- Add mod_pagespeed support
- Add mod_speling support
- Added several parameters for mod_passenger
- Added ssl_cipher parameter to apache::mod::ssl
- Improved examples in documentation
- Added docroot_mode, action, and suexec_user_group parameters to apache::vhost
- Add support for custom extensions for mod_php
- Improve proxy_html support for Debian
#### Bugfixes
- Remove NameVirtualHost directive for apache >= 2.4
- Order proxy_set option so it doesn't change between runs
- Fix inverted SSL compression
- Fix missing ensure on concat::fragment resources
- Fix bad dependencies in apache::mod and apache::mod::mime
#### Known Bugs
* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`.
* SLES is unsupported.
## 2014-03-04 Supported Release 1.0.1
### Summary
This is a supported release. This release removes a testing symlink that can
cause trouble on systems where /var is on a seperate filesystem from the
modulepath.
#### Features
#### Bugfixes
#### Known Bugs
* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`.
* SLES is unsupported.
## 2014-03-04 Supported Release 1.0.0
### Summary
This is a supported release. This release introduces Apache 2.4 support for
Debian and RHEL based osfamilies.
#### Features
- Add apache24 support
- Add rewrite_base functionality to rewrites
- Updated README documentation
- Add WSGIApplicationGroup and WSGIImportScript directives
#### Bugfixes
- Replace mutating hashes with merge() for Puppet 3.5
- Fix WSGI import_script and mod_ssl issues on Lucid
#### Known Bugs
* By default, the version of Apache that ships with Ubuntu 10.04 does not work with `wsgi_import_script`.
* SLES is unsupported.
---
## 2014-01-31 Release 0.11.0
### Summary:
This release adds preliminary support for Windows compatibility and multiple rewrite support.
#### Backwards-incompatible Changes:
- The rewrite_rule parameter is deprecated in favor of the new rewrite parameter
and will be removed in a future release.
#### Features:
- add Match directive
- quote paths for windows compatibility
- add auth_group_file option to README.md
- allow AuthGroupFile directive for vhosts
- Support Header directives in vhost context
- Don't purge mods-available dir when separate enable dir is used
- Fix the servername used in log file name
- Added support for mod_include
- Remove index parameters.
- Support environment variable control for CustomLog
- added redirectmatch support
- Setting up the ability to do multiple rewrites and conditions.
- Convert spec tests to beaker.
- Support php_admin_(flag|value)s
#### Bugfixes:
- directories are either a Hash or an Array of Hashes
- Configure Passenger in separate .conf file on RH so PassengerRoot isn't lost
- (docs) Update list of `apache::mod::[name]` classes
- (docs) Fix apache::namevirtualhost example call style
- Fix $ports_file reference in apache::listen.
- Fix $ports_file reference in Namevirtualhost.
## 2013-12-05 Release 0.10.0
### Summary:
This release adds FreeBSD osfamily support and various other improvements to some mods.
#### Features:
- Add suPHP_UserGroup directive to directory context
- Add support for ScriptAliasMatch directives
- Set SSLOptions StdEnvVars in server context
- No implicit <Directory> entry for ScriptAlias path
- Add support for overriding ErrorDocument
- Add support for AliasMatch directives
- Disable default "allow from all" in vhost-directories
- Add WSGIPythonPath as an optional parameter to mod_wsgi.
- Add mod_rpaf support
- Add directives: IndexOptions, IndexOrderDefault
- Add ability to include additional external configurations in vhost
- need to use the provider variable not the provider key value from the directory hash for matches
- Support for FreeBSD and few other features
- Add new params to apache::mod::mime class
- Allow apache::mod to specify module id and path
- added $server_root parameter
- Add Allow and ExtendedStatus support to mod_status
- Expand vhost/_directories.pp directive support
- Add initial support for nss module (no directives in vhost template yet)
- added peruser and event mpms
- added $service_name parameter
- add parameter for TraceEnable
- Make LogLevel configurable for server and vhost
- Add documentation about $ip
- Add ability to pass ip (instead of wildcard) in default vhost files
#### Bugfixes:
- Don't listen on port or set NameVirtualHost for non-existent vhost
- only apply Directory defaults when provider is a directory
- Working mod_authnz_ldap support on Debian/Ubuntu
## 2013-09-06 Release 0.9.0
### Summary:
This release adds more parameters to the base apache class and apache defined
resource to make the module more flexible. It also adds or enhances SuPHP,
WSGI, and Passenger mod support, and support for the ITK mpm module.
#### Backwards-incompatible Changes:
- Remove many default mods that are not normally needed.
- Remove `rewrite_base` `apache::vhost` parameter; did not work anyway.
- Specify dependencies on stdlib >=2.4.0 (this was already the case, but
making explicit)
- Deprecate `a2mod` in favor of the `apache::mod::*` classes and `apache::mod`
defined resource.
#### Features:
- `apache` class
- Add `httpd_dir` parameter to change the location of the configuration
files.
- Add `logroot` parameter to change the logroot
- Add `ports_file` parameter to changes the `ports.conf` file location
- Add `keepalive` parameter to enable persistent connections
- Add `keepalive_timeout` parameter to change the timeout
- Update `default_mods` to be able to take an array of mods to enable.
- `apache::vhost`
- Add `wsgi_daemon_process`, `wsgi_daemon_process_options`,
`wsgi_process_group`, and `wsgi_script_aliases` parameters for per-vhost
WSGI configuration.
- Add `access_log_syslog` parameter to enable syslogging.
- Add `error_log_syslog` parameter to enable syslogging of errors.
- Add `directories` hash parameter. Please see README for documentation.
- Add `sslproxyengine` parameter to enable SSLProxyEngine
- Add `suphp_addhandler`, `suphp_engine`, and `suphp_configpath` for
configuring SuPHP.
- Add `custom_fragment` parameter to allow for arbitrary apache
configuration injection. (Feature pull requests are prefered over using
this, but it is available in a pinch.)
- Add `apache::mod::suphp` class for configuring SuPHP.
- Add `apache::mod::itk` class for configuring ITK mpm module.
- Update `apache::mod::wsgi` class for global WSGI configuration with
`wsgi_socket_prefix` and `wsgi_python_home` parameters.
- Add README.passenger.md to document the `apache::mod::passenger` usage.
Added `passenger_high_performance`, `passenger_pool_idle_time`,
`passenger_max_requests`, `passenger_stat_throttle_rate`, `rack_autodetect`,
and `rails_autodetect` parameters.
- Separate the httpd service resource into a new `apache::service` class for
dependency chaining of `Class['apache'] -> <resource> ~>
Class['apache::service']`
- Added `apache::mod::proxy_balancer` class for `apache::balancer`
#### Bugfixes:
- Change dependency to puppetlabs-concat
- Fix ruby 1.9 bug for `a2mod`
- Change servername to be `$::hostname` if there is no `$::fqdn`
- Make `/etc/ssl/certs` the default ssl certs directory for RedHat non-5.
- Make `php` the default php package for RedHat non-5.
- Made `aliases` able to take a single alias hash instead of requiring an
array.
## 2013-07-26 Release 0.8.1
#### Bugfixes:
- Update `apache::mpm_module` detection for worker/prefork
- Update `apache::mod::cgi` and `apache::mod::cgid` detection for
worker/prefork
## 2013-07-16 Release 0.8.0
#### Features:
- Add `servername` parameter to `apache` class
- Add `proxy_set` parameter to `apache::balancer` define
#### Bugfixes:
- Fix ordering for multiple `apache::balancer` clusters
- Fix symlinking for sites-available on Debian-based OSs
- Fix dependency ordering for recursive confdir management
- Fix `apache::mod::*` to notify the service on config change
- Documentation updates
## 2013-07-09 Release 0.7.0
#### Changes:
- Essentially rewrite the module -- too many to list
- `apache::vhost` has many abilities -- see README.md for details
- `apache::mod::*` classes provide httpd mod-loading capabilities
- `apache` base class is much more configurable
#### Bugfixes:
- Many. And many more to come
## 2013-03-2 Release 0.6.0
- update travis tests (add more supported versions)
- add access log_parameter
- make purging of vhost dir configurable
## 2012-08-24 Release 0.4.0
#### Changes:
- `include apache` is now required when using `apache::mod::*`
#### Bugfixes:
- Fix syntax for validate_re
- Fix formatting in vhost template
- Fix spec tests such that they pass
## 2012-05-08 Puppet Labs <info@puppetlabs.com> - 0.0.4
* e62e362 Fix broken tests for ssl, vhost, vhost::*
* 42c6363 Changes to match style guide and pass puppet-lint without error
* 42bc8ba changed name => path for file resources in order to name namevar by it's name
* 72e13de One end too much
* 0739641 style guide fixes: 'true' <> true, $operatingsystem needs to be $::operatingsystem, etc.
* 273f94d fix tests
* a35ede5 (#13860) Make a2enmod/a2dismo commands optional
* 98d774e (#13860) Autorequire Package['httpd']
* 05fcec5 (#13073) Add missing puppet spec tests
* 541afda (#6899) Remove virtual a2mod definition
* 976cb69 (#13072) Move mod python and wsgi package names to params
* 323915a (#13060) Add .gitignore to repo
* fdf40af (#13060) Remove pkg directory from source tree
* fd90015 Add LICENSE file and update the ModuleFile
* d3d0d23 Re-enable local php class
* d7516c7 Make management of firewalls configurable for vhosts
* 60f83ba Explicitly lookup scope of apache_name in templates.
* f4d287f (#12581) Add explicit ordering for vdir directory
* 88a2ac6 (#11706) puppetlabs-apache depends on puppetlabs-firewall
* a776a8b (#11071) Fix to work with latest firewall module
* 2b79e8b (#11070) Add support for Scientific Linux
* 405b3e9 Fix for a2mod
* 57b9048 Commit apache::vhost::redirect Manifest
* 8862d01 Commit apache::vhost::proxy Manifest
* d5c1fd0 Commit apache::mod::wsgi Manifest
* a825ac7 Commit apache::mod::python Manifest
* b77062f Commit Templates
* 9a51b4a Vhost File Declarations
* 6cf7312 Defaults for Parameters
* 6a5b11a Ensure installed
* f672e46 a2mod fix
* 8a56ee9 add pthon support to apache

218
modules/services/unix/http/apache_wheezy/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,218 @@
Checklist (and a short version for the impatient)
=================================================
* Commits:
- Make commits of logical units.
- Check for unnecessary whitespace with "git diff --check" before
committing.
- Commit using Unix line endings (check the settings around "crlf" in
git-config(1)).
- Do not check in commented out code or unneeded files.
- The first line of the commit message should be a short
description (50 characters is the soft limit, excluding ticket
number(s)), and should skip the full stop.
- Associate the issue in the message. The first line should include
the issue number in the form "(#XXXX) Rest of message".
- The body should provide a meaningful commit message, which:
- uses the imperative, present tense: "change", not "changed" or
"changes".
- includes motivation for the change, and contrasts its
implementation with the previous behavior.
- Make sure that you have tests for the bug you are fixing, or
feature you are adding.
- Make sure the test suites passes after your commit:
`bundle exec rspec spec/acceptance` More information on [testing](#Testing) below
- When introducing a new feature, make sure it is properly
documented in the README.md
* Submission:
* Pre-requisites:
- Make sure you have a [GitHub account](https://github.com/join)
- [Create a ticket](https://tickets.puppetlabs.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppetlabs.com/browse/) you are patching for.
* Preferred method:
- Fork the repository on GitHub.
- Push your changes to a topic branch in your fork of the
repository. (the format ticket/1234-short_description_of_change is
usually preferred for this project).
- Submit a pull request to the repository in the puppetlabs
organization.
The long version
================
1. Make separate commits for logically separate changes.
Please break your commits down into logically consistent units
which include new or changed tests relevant to the rest of the
change. The goal of doing this is to make the diff easier to
read for whoever is reviewing your code. In general, the easier
your diff is to read, the more likely someone will be happy to
review it and get it into the code base.
If you are going to refactor a piece of code, please do so as a
separate commit from your feature or bug fix changes.
We also really appreciate changes that include tests to make
sure the bug is not re-introduced, and that the feature is not
accidentally broken.
Describe the technical detail of the change(s). If your
description starts to get too long, that is a good sign that you
probably need to split up your commit into more finely grained
pieces.
Commits which plainly describe the things which help
reviewers check the patch and future developers understand the
code are much more likely to be merged in with a minimum of
bike-shedding or requested changes. Ideally, the commit message
would include information, and be in a form suitable for
inclusion in the release notes for the version of Puppet that
includes them.
Please also check that you are not introducing any trailing
whitespace or other "whitespace errors". You can do this by
running "git diff --check" on your changes before you commit.
2. Sending your patches
To submit your changes via a GitHub pull request, we _highly_
recommend that you have them on a topic branch, instead of
directly on "master".
It makes things much easier to keep track of, especially if
you decide to work on another thing before your first change
is merged in.
GitHub has some pretty good
[general documentation](http://help.github.com/) on using
their site. They also have documentation on
[creating pull requests](http://help.github.com/send-pull-requests/).
In general, after pushing your topic branch up to your
repository on GitHub, you can switch to the branch in the
GitHub UI and click "Pull Request" towards the top of the page
in order to open a pull request.
3. Update the related GitHub issue.
If there is a GitHub issue associated with the change you
submitted, then you should update the ticket to include the
location of your branch, along with any other commentary you
may wish to make.
Testing
=======
Getting Started
---------------
Our puppet modules provide [`Gemfile`](./Gemfile)s which can tell a ruby
package manager such as [bundler](http://bundler.io/) what Ruby packages,
or Gems, are required to build, develop, and test this software.
Please make sure you have [bundler installed](http://bundler.io/#getting-started)
on your system, then use it to install all dependencies needed for this project,
by running
```shell
% bundle install
Fetching gem metadata from https://rubygems.org/........
Fetching gem metadata from https://rubygems.org/..
Using rake (10.1.0)
Using builder (3.2.2)
-- 8><-- many more --><8 --
Using rspec-system-puppet (2.2.0)
Using serverspec (0.6.3)
Using rspec-system-serverspec (1.0.0)
Using bundler (1.3.5)
Your bundle is complete!
Use `bundle show [gemname]` to see where a bundled gem is installed.
```
NOTE some systems may require you to run this command with sudo.
If you already have those gems installed, make sure they are up-to-date:
```shell
% bundle update
```
With all dependencies in place and up-to-date we can now run the tests:
```shell
% bundle exec rake spec
```
This will execute all the [rspec tests](http://rspec-puppet.com/) tests
under [spec/defines](./spec/defines), [spec/classes](./spec/classes),
and so on. rspec tests may have the same kind of dependencies as the
module they are testing. While the module defines in its [Modulefile](./Modulefile),
rspec tests define them in [.fixtures.yml](./fixtures.yml).
Some puppet modules also come with [beaker](https://github.com/puppetlabs/beaker)
tests. These tests spin up a virtual machine under
[VirtualBox](https://www.virtualbox.org/)) with, controlling it with
[Vagrant](http://www.vagrantup.com/) to actually simulate scripted test
scenarios. In order to run these, you will need both of those tools
installed on your system.
You can run them by issuing the following command
```shell
% bundle exec rake spec_clean
% bundle exec rspec spec/acceptance
```
This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml),
install puppet, copy this module and install its dependencies per [spec/spec_helper_acceptance.rb](./spec/spec_helper_acceptance.rb)
and then run all the tests under [spec/acceptance](./spec/acceptance).
Writing Tests
-------------
XXX getting started writing tests.
If you have commit access to the repository
===========================================
Even if you have commit access to the repository, you will still need to
go through the process above, and have someone else review and merge
in your changes. The rule is that all changes must be reviewed by a
developer on the project (that did not write the code) to ensure that
all changes go through a code review process.
Having someone other than the author of the topic branch recorded as
performing the merge is the record that they performed the code
review.
Additional Resources
====================
* [Getting additional help](http://puppet.com/community/get-help)
* [Writing tests](https://docs.puppet.com/guides/module_guides/bgtm.html#step-three-module-testing)
* [General GitHub documentation](http://help.github.com/)
* [GitHub pull request documentation](http://help.github.com/send-pull-requests/)

87
modules/services/unix/http/apache_wheezy/Gemfile Normal file
View File

@@ -0,0 +1,87 @@
#This file is generated by ModuleSync, do not edit.
source ENV['GEM_SOURCE'] || "https://rubygems.org"
# Determines what type of gem is requested based on place_or_version.
def gem_type(place_or_version)
if place_or_version =~ /^git:/
:git
elsif place_or_version =~ /^file:/
:file
else
:gem
end
end
# Find a location or specific version for a gem. place_or_version can be a
# version, which is most often used. It can also be git, which is specified as
# `git://somewhere.git#branch`. You can also use a file source location, which
# is specified as `file://some/location/on/disk`.
def location_for(place_or_version, fake_version = nil)
if place_or_version =~ /^(git[:@][^#]*)#(.*)/
[fake_version, { :git => $1, :branch => $2, :require => false }].compact
elsif place_or_version =~ /^file:\/\/(.*)/
['>= 0', { :path => File.expand_path($1), :require => false }]
else
[place_or_version, { :require => false }]
end
end
# Used for gem conditionals
supports_windows = false
group :development do
gem 'puppet-lint', :require => false
gem 'metadata-json-lint', :require => false, :platforms => 'ruby'
gem 'puppet_facts', :require => false
gem 'puppet-blacksmith', '>= 3.4.0', :require => false, :platforms => 'ruby'
gem 'puppetlabs_spec_helper', '>= 1.2.1', :require => false
gem 'rspec-puppet', '>= 2.3.2', :require => false
gem 'rspec-puppet-facts', :require => false, :platforms => 'ruby'
gem 'mocha', '< 1.2.0', :require => false
gem 'simplecov', :require => false, :platforms => 'ruby'
gem 'parallel_tests', '< 2.10.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem 'parallel_tests', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.0.0')
gem 'rubocop', '0.41.2', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem 'rubocop', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.0.0')
gem 'rubocop-rspec', '~> 1.6', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')
gem 'pry', :require => false
gem 'json_pure', '<= 2.0.1', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem 'fast_gettext', '1.1.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
gem 'fast_gettext', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
end
group :system_tests do
gem 'beaker', *location_for(ENV['BEAKER_VERSION'] || '~> 2.20') if supports_windows
gem 'beaker', *location_for(ENV['BEAKER_VERSION']) if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0') and ! supports_windows
gem 'beaker', *location_for(ENV['BEAKER_VERSION'] || '< 3') if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.3.0') and ! supports_windows
gem 'beaker-pe', :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')
gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '>= 3.4') if ! supports_windows
gem 'beaker-rspec', *location_for(ENV['BEAKER_RSPEC_VERSION'] || '~> 5.1') if supports_windows
gem 'beaker-puppet_install_helper', :require => false
gem 'master_manipulator', :require => false
gem 'beaker-hostgenerator', *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION'])
gem 'beaker-abs', *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1')
end
gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION'])
# Only explicitly specify Facter/Hiera if a version has been specified.
# Otherwise it can lead to strange bundler behavior. If you are seeing weird
# gem resolution behavior, try setting `DEBUG_RESOLVER` environment variable
# to `1` and then run bundle install.
gem 'facter', *location_for(ENV['FACTER_GEM_VERSION']) if ENV['FACTER_GEM_VERSION']
gem 'hiera', *location_for(ENV['HIERA_GEM_VERSION']) if ENV['HIERA_GEM_VERSION']
# Evaluate Gemfile.local if it exists
if File.exists? "#{__FILE__}.local"
eval(File.read("#{__FILE__}.local"), binding)
end
# Evaluate ~/.gemfile if it exists
if File.exists?(File.join(Dir.home, '.gemfile'))
eval(File.read(File.join(Dir.home, '.gemfile')), binding)
end
# vim:ft=ruby

201
modules/services/unix/http/apache_wheezy/LICENSE Normal file
View File

@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

17
modules/services/unix/http/apache_wheezy/NOTICE Normal file
View File

@@ -0,0 +1,17 @@
apache puppet module
Copyright (C) 2012-2016 Puppet Labs, Inc.
Puppet Labs can be contacted at: info@puppetlabs.com
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

4097
modules/services/unix/http/apache_wheezy/README.md Normal file
View File

File diff suppressed because it is too large Load Diff

39
modules/services/unix/http/apache_wheezy/Rakefile Normal file
View File

@@ -0,0 +1,39 @@
require 'puppet_blacksmith/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppetlabs_spec_helper/rake_tasks'
PuppetLint.configuration.send('relative')
PuppetLint.configuration.send('disable_documentation')
PuppetLint.configuration.send('disable_single_quote_string_with_variables')
PuppetLint.configuration.send('disable_only_variable_string')
desc 'Generate pooler nodesets'
task :gen_nodeset do
require 'beaker-hostgenerator'
require 'securerandom'
require 'fileutils'
agent_target = ENV['TEST_TARGET']
if ! agent_target
STDERR.puts 'TEST_TARGET environment variable is not set'
STDERR.puts 'setting to default value of "redhat-64default."'
agent_target = 'redhat-64default.'
end
master_target = ENV['MASTER_TEST_TARGET']
if ! master_target
STDERR.puts 'MASTER_TEST_TARGET environment variable is not set'
STDERR.puts 'setting to default value of "redhat7-64mdcl"'
master_target = 'redhat7-64mdcl'
end
targets = "#{master_target}-#{agent_target}"
cli = BeakerHostGenerator::CLI.new([targets])
nodeset_dir = "tmp/nodesets"
nodeset = "#{nodeset_dir}/#{targets}-#{SecureRandom.uuid}.yaml"
FileUtils.mkdir_p(nodeset_dir)
File.open(nodeset, 'w') do |fh|
fh.print(cli.execute)
end
puts nodeset
end

18
modules/services/unix/http/apache_wheezy/apache_wheezy.pp Normal file
View File

@@ -0,0 +1,18 @@
#
# apache::fastcgi::server { 'php':
# host => '127.0.0.1:9000',
# timeout => 15,
# flush => false,
# faux_path => '/var/www/php.fcgi',
# fcgi_alias => '/php.fcgi',
# file_type => 'application/x-httpd-php'
# }
#
# apache::vhost { 'www':
# custom_fragment => 'AddType application/x-httpd-php .php',
# docroot => '/var/www/wordpress'
# }
class { 'apache':
mpm_module => 'prefork'
}

336
modules/services/unix/http/apache_wheezy/checksums.json Normal file
View File

@@ -0,0 +1,336 @@
{
"CHANGELOG.md": "3cf646fb26cf26763a7cfb5aad950d1a",
"CONTRIBUTING.md": "b78f71c1104f00538d50ad2775f58e95",
"Gemfile": "8229b2c0196b32a14403f99450c801af",
"LICENSE": "3b83ef96387f14655fc854ddc3c6bd57",
"NOTICE": "b7f979f1e3cd132677e1cd7762547e6b",
"README.md": "320bd7f9fb5e88b097805076c39b6b02",
"Rakefile": "3a104cbf874d68f98be0c43522d54a27",
"examples/apache.pp": "41e97262421ea5734fac16a338701a78",
"examples/dev.pp": "8da0d50d9d06834dd06329b8945f06d5",
"examples/init.pp": "d27415f33028c26d4031d30305eec5e0",
"examples/mod_load_params.pp": "e8d1c1b1b96d560c8288c51a76bffc87",
"examples/mods.pp": "78a25c9e226265353eabefd3ddfd4218",
"examples/mods_custom.pp": "bc9e6959c282984cf9cdd93869c89499",
"examples/php.pp": "afa0871b94040e3ae91fce9c375fb725",
"examples/vhost.pp": "2e9880fd36401c2f0b083054e7c69f3c",
"examples/vhost_directories.pp": "95aa446a2fccf9f3561581a5d71c61a7",
"examples/vhost_filter.pp": "62c5af7868af9887b7d71769c319c1e5",
"examples/vhost_ip_based.pp": "7a4d4c1c00147c45e4534f58d2fbf4ed",
"examples/vhost_proxypass.pp": "2f0bd33b34a48554adcdf20d6d31a4c2",
"examples/vhost_ssl.pp": "ddd3c45964df56837d6c051a7d692378",
"examples/vhosts_without_listen.pp": "226afb3e87129a56fc9add21b120feb2",
"files/httpd": "295f5e924afe6f752d29327e73fe6d0a",
"lib/facter/apache_version.rb": "babb22b1d567021995b4b5fa9328047b",
"lib/puppet/parser/functions/bool2httpd.rb": "05d5deeb6e0c31acee7c55b249ec8e06",
"lib/puppet/parser/functions/enclose_ipv6.rb": "581bc163291824909d1700909db96512",
"lib/puppet/parser/functions/validate_apache_log_level.rb": "d75bc4ef17ff5c9a1f94dd3948e733d1",
"lib/puppet/provider/a2mod/a2mod.rb": "d986d8e8373f3f31c97359381c180628",
"lib/puppet/provider/a2mod/gentoo.rb": "2492d446adbb68f678e86a75eb7ff3bd",
"lib/puppet/provider/a2mod/modfix.rb": "b689a1c83c9ccd8590399c67f3e588e5",
"lib/puppet/provider/a2mod/redhat.rb": "c39b80e75e7d0666def31c2a6cdedb0b",
"lib/puppet/provider/a2mod.rb": "03ed73d680787dd126ea37a03be0b236",
"lib/puppet/type/a2mod.rb": "9042ccc045bfeecca28bebb834114f05",
"manifests/balancer.pp": "b444ff1415ba0bd6c8ec1497bcc9cfb3",
"manifests/balancermember.pp": "d74ab23d74fa198853b13ad837df925c",
"manifests/confd/no_accf.pp": "406d0ca41c3b90f83740ca218dc3f484",
"manifests/custom_config.pp": "c5df4d455ff918f39e6341784457bca9",
"manifests/default_confd_files.pp": "86fdbe5773abb7c2da26db096973865c",
"manifests/default_mods/load.pp": "bc0b3b65edd1ba6178c09672352f9bce",
"manifests/default_mods.pp": "e4a7aa787443fce2e76c37e8fec99012",
"manifests/dev.pp": "8a7ead42f991e5dfdd364ba1aa1304e0",
"manifests/fastcgi/server.pp": "f177293f02a2878b43a863e8ab3015db",
"manifests/init.pp": "e76413e0c82c2ae13b658bcd97f31c5a",
"manifests/listen.pp": "6e44a9f49376cefb5694d52be5bc5a88",
"manifests/mod/actions.pp": "ec2a5d1cf54790204750f9b67938d230",
"manifests/mod/alias.pp": "1ef0d98a941bd796d428297b74acc8c4",
"manifests/mod/auth_basic.pp": "dffef6ff10145393cb78fcaa27220c53",
"manifests/mod/auth_cas.pp": "73dcf3f9ba2421a271f6c21bcae2fcbb",
"manifests/mod/auth_kerb.pp": "8759cab3dc12d6ba4cc12fcdbb699418",
"manifests/mod/auth_mellon.pp": "5bfbc604dd79923bdb65ecab02353059",
"manifests/mod/authn_core.pp": "4db773ddbc0d875230085782d4521951",
"manifests/mod/authn_dbd.pp": "8f03863a483184ca53b9bc3a45b2297f",
"manifests/mod/authn_file.pp": "eeb11513490beee901574746faaeabdf",
"manifests/mod/authnz_ldap.pp": "41b00baeb26144b889f4f0be4601dae5",
"manifests/mod/authz_default.pp": "b7c94cfa4e008155fffd241d35834064",
"manifests/mod/authz_user.pp": "d446c90c44304594206bd2a0112be625",
"manifests/mod/autoindex.pp": "3b50dc082dba420c3d564309601fd419",
"manifests/mod/cache.pp": "b56d68b9401ba3e02a1f2fe55cdfbcca",
"manifests/mod/cgi.pp": "32d6da37e010b5abe19b1a3be87a6d44",
"manifests/mod/cgid.pp": "fb9ae9b5012d41e22cb85c0b50e17361",
"manifests/mod/cluster.pp": "3d86d95713aea6107ff9e056d1b1698f",
"manifests/mod/dav.pp": "9df80d36dd609be9032a8260aa9d10c1",
"manifests/mod/dav_fs.pp": "9ad2359d64b0b6f219bd8a338917d114",
"manifests/mod/dav_svn.pp": "abc1ba954033b0b0187c079f310eb0e2",
"manifests/mod/dbd.pp": "4471dbd9fd67d0db885d4ba2a47a194a",
"manifests/mod/deflate.pp": "20231a22aba12eb905f1d7f1853e383e",
"manifests/mod/dev.pp": "42673bab60b6fc0f3aa6e2357ec0a27c",
"manifests/mod/dir.pp": "c7327a2a0ff02bdab2f5421359d6f300",
"manifests/mod/disk_cache.pp": "da18cbefced9bb32fc009e999c5b76e2",
"manifests/mod/dumpio.pp": "755f6072ef3130fa670022f26da7e429",
"manifests/mod/env.pp": "2a0321180a59161565b2b5f1b79d6b15",
"manifests/mod/event.pp": "a82a7ab979cc351eb660576bdc91d0e8",
"manifests/mod/expires.pp": "6f12edcf6863958af832db73b56e5f08",
"manifests/mod/ext_filter.pp": "df12ff3935ffa64f32bf897e433fc0ce",
"manifests/mod/fastcgi.pp": "96a3fcf0508a7eb8c9601eac329622eb",
"manifests/mod/fcgid.pp": "96e0a5f09c2d1ba21b2209a6e21b6847",
"manifests/mod/filter.pp": "b0039f3ae932b1204994ef2180dd76d2",
"manifests/mod/geoip.pp": "41762c637ab45dac05e564d1b3d03c3e",
"manifests/mod/headers.pp": "ef3de538a0a4c9406236faf43eb89710",
"manifests/mod/include.pp": "a3b66eda88e38d90825c16b834bacd8d",
"manifests/mod/info.pp": "c3e815ed9912bb9147805f7274508489",
"manifests/mod/itk.pp": "f631157ebdff68b6fc2bb6dbd5b8e8c4",
"manifests/mod/ldap.pp": "3fdd5ed6f1db898fc2499ed0ece0abe1",
"manifests/mod/mime.pp": "24fe99c65367a3f606441605a2ff26dd",
"manifests/mod/mime_magic.pp": "d31702cee9007c2e65c8d3ccbed1fda3",
"manifests/mod/negotiation.pp": "35fb1e9fa643054271804e215bb47299",
"manifests/mod/nss.pp": "3cc69b59bba579181b0ceb1dfd2976d0",
"manifests/mod/pagespeed.pp": "1fcf4c30084bd1e4fa3006b4d3265c1a",
"manifests/mod/passenger.pp": "55c68abd56d7838bbd6d9cb48bc941bb",
"manifests/mod/perl.pp": "b8180ca0e1e7f8d60030321f52c28d6d",
"manifests/mod/peruser.pp": "13761222709094653bca7bad4435fcdb",
"manifests/mod/php.pp": "64737f2ea2ad8532aaf515b713e9cac7",
"manifests/mod/prefork.pp": "3deff89f43a1f55dda643ac66e3fc4dc",
"manifests/mod/proxy.pp": "a65065f0c7705b7b75b1dd6fc2222e27",
"manifests/mod/proxy_ajp.pp": "073e2406aea7822750d4c21f02d8ac80",
"manifests/mod/proxy_balancer.pp": "a13221d222df646e84910cabd2902dee",
"manifests/mod/proxy_connect.pp": "7cd9b4b61ec6feb020f753ee74910a48",
"manifests/mod/proxy_fcgi.pp": "8c7fd559419b159e27218a17463d850d",
"manifests/mod/proxy_html.pp": "5ce01879add843832f756962dceec845",
"manifests/mod/proxy_http.pp": "0db1b26f8b4036b0d46ba86b7eaac561",
"manifests/mod/proxy_wstunnel.pp": "88ee88d6d56a70f0000e690f80f64acb",
"manifests/mod/python.pp": "6f65b22271cf356832fe7a1949163861",
"manifests/mod/remoteip.pp": "9ad1d5712477f11ae2643f209bb08ce3",
"manifests/mod/reqtimeout.pp": "17b245b5d14f3f7b8c1d5fa07e5c159e",
"manifests/mod/rewrite.pp": "292f2d6ce2078fa9df7f686105ea7b95",
"manifests/mod/rpaf.pp": "54991f51a06e2b4171956e6ce1caf3a3",
"manifests/mod/security.pp": "eaae214a25fcfa9fc9e4db4d2b88a37d",
"manifests/mod/setenvif.pp": "fa3b3e5f3a7e029f9db5b66ae499c6c8",
"manifests/mod/shib.pp": "8b75f8818fe9dc5728a478fc27962447",
"manifests/mod/socache_shmcb.pp": "c94ae23ab8cce744acad2f7e33dbfa9c",
"manifests/mod/speling.pp": "b6971e10caf22837e410b94910b66b1a",
"manifests/mod/ssl.pp": "a6c6ed342ef96db622671ed99ae0fe0d",
"manifests/mod/status.pp": "2e54208b8e669a7768b8bc4c2ca216a1",
"manifests/mod/suexec.pp": "2a8671856a0ece597e9b57867dc35e76",
"manifests/mod/suphp.pp": "5a7390ef0a0ceaa2d7e684bcb6300587",
"manifests/mod/userdir.pp": "bb20504fc72d66b8cf80bb270db7bb66",
"manifests/mod/version.pp": "6cb31057ebffa796f95642cc95f9499d",
"manifests/mod/vhost_alias.pp": "ee1225a748daaf50aca39a6d93fb8470",
"manifests/mod/worker.pp": "41137580c48b89f2795c1295d87962c0",
"manifests/mod/wsgi.pp": "186a34169367a2e64af4faf3036e3af3",
"manifests/mod/xsendfile.pp": "fba06f05a19c466654aca5ecaa705bf0",
"manifests/mod.pp": "0986292ef7477c30f6d07209f0591bdf",
"manifests/mpm.pp": "d4bfe77df34110cb253557104b2e6310",
"manifests/namevirtualhost.pp": "5ad54a441ff26a55cc536069d8fad238",
"manifests/package.pp": "ebd1e1e815ef744ebd4e9d8a6c94a07a",
"manifests/params.pp": "42d971519adb39970cf87f33180b1f5d",
"manifests/peruser/multiplexer.pp": "0ea75341b7a93e55bcfb431a93b1a6c9",
"manifests/peruser/processor.pp": "62f0ad5ed2ec36dadc7f40ad2a9e1bb9",
"manifests/php.pp": "9c9d07e12bf5d112b0b54f5bd69046fc",
"manifests/proxy.pp": "7c8515b88406922e148322ee15044b29",
"manifests/python.pp": "ddef4cd73850fdc2dc126d4579c30adf",
"manifests/security/rule_link.pp": "9c879ecfd7534347ccc8cf3ea77fa859",
"manifests/service.pp": "8e51ebf5af2e943030aec043face1bac",
"manifests/ssl.pp": "173f3d6a7fd2b5f4100c4ff03d84e13b",
"manifests/version.pp": "3388b1978b04cba63ed7fc8e2ec3f692",
"manifests/vhost/custom.pp": "421081f6c4f33e1aca07ff789e53345e",
"manifests/vhost.pp": "da0c608533e3010de53a42a09748c633",
"manifests/vhosts.pp": "d5cd9e6b701b7b2948c011546bc55497",
"metadata.json": "0090c6941acc9416730e7a48d0f6b231",
"spec/acceptance/apache_parameters_spec.rb": "5b95e67d474cc8a132c45f6e91714037",
"spec/acceptance/apache_ssl_spec.rb": "9cddf1b1b3a4ed2fe971fabe8785e9ed",
"spec/acceptance/class_spec.rb": "9d77ee23b734dd48ecea4353dee3d616",
"spec/acceptance/custom_config_spec.rb": "61e03d814d0671d194dd40e6b1ad5c9b",
"spec/acceptance/default_mods_spec.rb": "5d2bf768511d2fb34bd7057801d0fc4e",
"spec/acceptance/itk_spec.rb": "812c855013c08ebb13e642dc5199b41a",
"spec/acceptance/mod_dav_svn_spec.rb": "e792a6d585026dd7bded38e62c8786f6",
"spec/acceptance/mod_deflate_spec.rb": "dd39bfb069e0233bf134caaeb1dc6fe6",
"spec/acceptance/mod_fcgid_spec.rb": "ef0e3368ea14247c05ff43217b5856ee",
"spec/acceptance/mod_mime_spec.rb": "0869792d98c1b2577f02d97c92f1765e",
"spec/acceptance/mod_negotiation_spec.rb": "017f6b0cc1496c25aa9b8a33ef8dbbb3",
"spec/acceptance/mod_pagespeed_spec.rb": "7d7732a41eae79bd6b816bb1e165a530",
"spec/acceptance/mod_passenger_spec.rb": "a66264ef73ad6c5396a06ab9b5444c7c",
"spec/acceptance/mod_php_spec.rb": "81218711d2e27b24e36a99eab74ccf19",
"spec/acceptance/mod_proxy_html_spec.rb": "34478fc2f12a23cd5a95d424f85da150",
"spec/acceptance/mod_security_spec.rb": "c783d44cf3ccba2fa6a3c14de0e486a0",
"spec/acceptance/mod_suphp_spec.rb": "f5c1f21e4c5323b81afc354c82e7ceb9",
"spec/acceptance/nodesets/centos-7-x64.yml": "a713f3abd3657f0ae2878829badd23cd",
"spec/acceptance/nodesets/debian-8-x64.yml": "d2d2977900989f30086ad251a14a1f39",
"spec/acceptance/nodesets/default.yml": "b42da5a1ea0c964567ba7495574b8808",
"spec/acceptance/nodesets/docker/centos-7.yml": "8a3892807bdd62306ae4774f41ba11ae",
"spec/acceptance/nodesets/docker/debian-8.yml": "ac8e871d1068c96de5e85a89daaec6df",
"spec/acceptance/nodesets/docker/ubuntu-14.04.yml": "dc42ee922a96908d85b8f0f08203ce58",
"spec/acceptance/nodesets/suse.yml": "eff62186e4de2ffed45a72a375380338",
"spec/acceptance/prefork_worker_spec.rb": "1570eefe61d667a1b43824adc0b2bb78",
"spec/acceptance/service_spec.rb": "341f157cb33fa48d5166d2274ad3bc65",
"spec/acceptance/version.rb": "6a1f2db3e369f3dc2b5bd76f4921891a",
"spec/acceptance/vhost_spec.rb": "69a14b4e593fa9ecfdccda1ab23b453a",
"spec/acceptance/vhosts_spec.rb": "c9635037681d569a053da6eb7ae5f4f4",
"spec/classes/apache_spec.rb": "fe0d844ef6cb3bad10e2d935ea16e737",
"spec/classes/dev_spec.rb": "6bc9ff7cffb77aac52c5bd3acc157d2d",
"spec/classes/mod/alias_spec.rb": "e62706d9925b0dc1821db78d01986a7e",
"spec/classes/mod/auth_cas_spec.rb": "46a7ba3fe31d3fc6175b8dce5105326e",
"spec/classes/mod/auth_kerb_spec.rb": "a32949cf0f8f93786b58589b102b1fe0",
"spec/classes/mod/auth_mellon_spec.rb": "81d3ea4b7567718ca810b625fd36d231",
"spec/classes/mod/authn_dbd_spec.rb": "8c794faaa5244e16f432c76679cb12d7",
"spec/classes/mod/authnz_ldap_spec.rb": "bef6980f85489c5fd7388511cb65b644",
"spec/classes/mod/cluster_spec.rb": "c1d01cc4a4f9ce10d692294019791e2f",
"spec/classes/mod/dav_svn_spec.rb": "6b3c4123a067e249f6c78c5b0cbcbcc7",
"spec/classes/mod/deflate_spec.rb": "adf6e41357fefe4ff1128e8fea4d3057",
"spec/classes/mod/dev_spec.rb": "1a30ef5fb18073fd2bf6f7923ff9c57f",
"spec/classes/mod/dir_spec.rb": "9e25507c094cb3b2fe6eb1106668b484",
"spec/classes/mod/disk_cache_spec.rb": "e821fa50ace7ab3398c43b16034748e9",
"spec/classes/mod/dumpio_spec.rb": "689d167b05e669c29709fc36940e7b05",
"spec/classes/mod/event_spec.rb": "46a304c796ac3928be0a67bec1f46b4f",
"spec/classes/mod/expires_spec.rb": "0d27e3438627f2ad34abacf582fb8b0b",
"spec/classes/mod/ext_filter_spec.rb": "7af18fdf1376f17e68dc99e5627ba067",
"spec/classes/mod/fastcgi_spec.rb": "59f7ea857b0fa614e8808270c529300f",
"spec/classes/mod/fcgid_spec.rb": "bda06cc347a8da8d7c7374add2654248",
"spec/classes/mod/info_spec.rb": "d51c6a9e6ae4d944488a43c8c15b95c0",
"spec/classes/mod/itk_spec.rb": "622f23a1346383846cbc98e38388034d",
"spec/classes/mod/ldap_spec.rb": "12863d495558fbe9f6cb7a50ab37688c",
"spec/classes/mod/mime_magic_spec.rb": "259304a80e92e4ba15e7cd719fe25c17",
"spec/classes/mod/mime_spec.rb": "d946fb96659b67bf7117ad7ed4b25cce",
"spec/classes/mod/negotiation_spec.rb": "44d50f7e6ef8c6388baa4c7cfc07be43",
"spec/classes/mod/pagespeed_spec.rb": "56bd7d82920cb734ea8139c9fed97de7",
"spec/classes/mod/passenger_spec.rb": "a7cb67b8f93b462dc9a1bf29ad7f2436",
"spec/classes/mod/perl_spec.rb": "1daa227f563ac19ff8dcdea0d0005ec4",
"spec/classes/mod/peruser_spec.rb": "c379ce85a997789856b12c27957bf994",
"spec/classes/mod/php_spec.rb": "2cc1a1d5d097be26eef3139b4e8eafaf",
"spec/classes/mod/prefork_spec.rb": "d82f0f25691ba019b912cd000dbb845f",
"spec/classes/mod/proxy_balancer_spec.rb": "c0bd0c3ebf39d7c66120b3837551f6b1",
"spec/classes/mod/proxy_connect_spec.rb": "baef920356c839b698c2adb865e79b5f",
"spec/classes/mod/proxy_html_spec.rb": "c6fc0e6b0cbcd3d5f9e65d533366ee32",
"spec/classes/mod/proxy_wstunnel.rb": "69bcef5e88aeb115290d8428186c80ec",
"spec/classes/mod/python_spec.rb": "5ca2dd0829b7baa1022c551b66548b20",
"spec/classes/mod/remoteip_spec.rb": "f9bf0bc64fef6d570f7b798ceef0d598",
"spec/classes/mod/reqtimeout_spec.rb": "2af2919e8253100fbc2e001d30a5cd15",
"spec/classes/mod/rpaf_spec.rb": "5c4725a4bcab9339d7309765390aaed1",
"spec/classes/mod/security_spec.rb": "adabc64a0a847c9f448c3282a4de1b94",
"spec/classes/mod/shib_spec.rb": "b4ec345e387f8d7186048f5d286bb71d",
"spec/classes/mod/speling_spec.rb": "96919b9fbd1e894fcfd649044c3dafb5",
"spec/classes/mod/ssl_spec.rb": "54219eac9b409a833a57ecfdce66a196",
"spec/classes/mod/status_spec.rb": "1eeaf906baf6ca82bf24c4e23494c71c",
"spec/classes/mod/suphp_spec.rb": "cc7c02c42e985aa133f9d868e14d9435",
"spec/classes/mod/worker_spec.rb": "c326e36fbcfe9f0c59dc1db389a33926",
"spec/classes/mod/wsgi_spec.rb": "5c76026d8f08ac7d17d7b34f089979a3",
"spec/classes/params_spec.rb": "adbd9f0dee677ea9439b9ce0d620894f",
"spec/classes/service_spec.rb": "d23f6cd3eac018e368e0ba32cbf95f11",
"spec/classes/vhosts_spec.rb": "9baf23eb534e944a1bd593e72dd3050e",
"spec/defines/balancer_spec.rb": "8793815eb22b5190977b154fcd97e85e",
"spec/defines/balancermember_spec.rb": "e93ded8b51cc1d73e52f453880b3576e",
"spec/defines/custom_config_spec.rb": "a7e3392933cabc8ed6bb57deaebb36d9",
"spec/defines/fastcgi_server_spec.rb": "8e167c1525cb9a7473efdde01efe0ca3",
"spec/defines/mod_spec.rb": "a10e5b2570419737c03cd0f6347cc985",
"spec/defines/modsec_link_spec.rb": "3421b21f8234637dd1c32ebcf89e44c3",
"spec/defines/vhost_custom_spec.rb": "d5596a7a0c239d4c0ed8bebbb6a124ab",
"spec/defines/vhost_spec.rb": "b9fc940b93fa4bde6e6d1ce1ef91d234",
"spec/fixtures/files/negotiation.conf": "9c11872e26327ec880749b5dfdea25d6",
"spec/fixtures/files/spec": "e964ecac35c35baa9b4c57dac4ff5b3e",
"spec/fixtures/templates/negotiation.conf.erb": "c838e612ce6f82a5efd12871ad562011",
"spec/spec_helper.rb": "b2db3bc02b4ac2fd5142a6621c641b07",
"spec/spec_helper_acceptance.rb": "bd3dc8d42f3774c2c5cea26df7488b07",
"spec/spec_helper_local.rb": "1b6ccd9b2f6946b81560239881774e94",
"spec/unit/apache_version_spec.rb": "c9d7b8ab46fb21d370702f02088281a2",
"spec/unit/provider/a2mod/gentoo_spec.rb": "02f7510cbf4945c5e1094ebcb967c8e0",
"spec/unit/puppet/parser/functions/bool2httpd_spec.rb": "0c9bca53eb43b5fc888126514b2a174c",
"spec/unit/puppet/parser/functions/enclose_ipv6_spec.rb": "0145a78254ea716e5e7600d9464318a8",
"spec/unit/puppet/parser/functions/validate_apache_log_level.rb": "8f558fd81d1655e9ab20896152eca512",
"templates/confd/no-accf.conf.erb": "a614f28c4b54370e4fa88403dfe93eb0",
"templates/fastcgi/server.erb": "30cdd04393bdb4f68678d00e2930721b",
"templates/httpd.conf.erb": "5a8eacfe858789a1e2059cd0452b6b01",
"templates/listen.erb": "6286aa08f9e28caee54b1e1ee031b9d6",
"templates/mod/alias.conf.erb": "370e9d394dd462d3ebc0dd345ab68f6f",
"templates/mod/auth_cas.conf.erb": "35e1291a5fa05067d7623c02bafb0ada",
"templates/mod/auth_mellon.conf.erb": "4e17d22a8f1bc312e976e8513199c945",
"templates/mod/authn_dbd.conf.erb": "7a84f5d3b3a4b92a88fe052b13376f8e",
"templates/mod/authnz_ldap.conf.erb": "d648a09c5625a7da5715f03526f2fefd",
"templates/mod/autoindex.conf.erb": "2421a3c6df32c7e38c2a7a22afdf5728",
"templates/mod/cgid.conf.erb": "f8ce27d60bc495bab16de2696ebb2fd0",
"templates/mod/cluster.conf.erb": "1b12d0b30352527474986eba1973b9b1",
"templates/mod/dav_fs.conf.erb": "10c1131168e35319e22b3fbfe51aebfd",
"templates/mod/deflate.conf.erb": "e866ecf2bfe8e42ea984267f569723db",
"templates/mod/dir.conf.erb": "2485da78a2506c14bf51dde38dd03360",
"templates/mod/disk_cache.conf.erb": "48d1b54ec1dedea7f68451bc0774790e",
"templates/mod/dumpio.conf.erb": "260a03d5f5b450095a5374690fbb34b2",
"templates/mod/event.conf.erb": "5e4095242d8e5dd99fe0823cfa2f1434",
"templates/mod/expires.conf.erb": "7a77f8b1d50c53ee77a6cb798c51a2b9",
"templates/mod/ext_filter.conf.erb": "4e4e4143ab402a9f9d51301b1a192202",
"templates/mod/fastcgi.conf.erb": "2404caa7d91dea083fc4f8b6f18acd24",
"templates/mod/fcgid.conf.erb": "1780c7808bb3811deaf0007c890df4dc",
"templates/mod/geoip.conf.erb": "93b95f44ec733ee8231be82381e02782",
"templates/mod/info.conf.erb": "c8580f35594e8f76da9c961def618739",
"templates/mod/itk.conf.erb": "eff84b78e4f2f8c5c3a2e9fc4b8aad16",
"templates/mod/ldap.conf.erb": "03ef6f461e4778342e6b94b8b4f3cd3a",
"templates/mod/load.erb": "01132434e6101080c41548b0ba7e57d8",
"templates/mod/mime.conf.erb": "2fa5a10d06ff979de1d5d2544586ab45",
"templates/mod/mime_magic.conf.erb": "067c3180b4216439b039822114144e78",
"templates/mod/mpm_event.conf.erb": "80097a19d063a4f973465d9ef5c0c0bf",
"templates/mod/negotiation.conf.erb": "a2f0fb40cd038cb17bedc2b84d9f48ea",
"templates/mod/nss.conf.erb": "03a7a3721b19706e00df00e457c5df69",
"templates/mod/pagespeed.conf.erb": "d1d8dfb00e528aab10a24518c7f148a6",
"templates/mod/passenger.conf.erb": "81512838f2fb7f01bf7fd674f023d086",
"templates/mod/peruser.conf.erb": "c4f4054aee899249ea6fef5a9e5c14ff",
"templates/mod/php.conf.erb": "c535da6adea16bdcb0586260eedf8c93",
"templates/mod/prefork.conf.erb": "f9ec5a7eaea78a19b04fa69f8acd8a84",
"templates/mod/proxy.conf.erb": "33a6a57edd324ba56e879a7b077ecf08",
"templates/mod/proxy_balancer.conf.erb": "a9f8d51a2a7169e5fd0c8415a3f9c662",
"templates/mod/proxy_html.conf.erb": "69c9ce9b7f24e1337065f1ce26b057a0",
"templates/mod/remoteip.conf.erb": "ad58e174410e3ff46ff93d4ad1e7b8a0",
"templates/mod/reqtimeout.conf.erb": "314ef068b786ae5afded290a8b6eab15",
"templates/mod/rpaf.conf.erb": "5447539c083ae54f3a9e93c1ac8c988b",
"templates/mod/security.conf.erb": "e309716298ed8709df5496c27d47fe36",
"templates/mod/security_crs.conf.erb": "5c7bc134c0675d75b66a5c8faaf11eb6",
"templates/mod/setenvif.conf.erb": "c7ede4173da1915b7ec088201f030c28",
"templates/mod/ssl.conf.erb": "6f9557964b967bb6715d1f19f266367a",
"templates/mod/status.conf.erb": "574ecc6f74e8b75d84710a44c4260210",
"templates/mod/suphp.conf.erb": "05bb7b3ea23976b032ce405bfd4edd18",
"templates/mod/userdir.conf.erb": "b555d16697b030d34ad18d41d4084c4c",
"templates/mod/worker.conf.erb": "dc4c7049af7312f5e82b3e72e8fccdfd",
"templates/mod/wsgi.conf.erb": "9a416fa3b71be0795679069809686300",
"templates/namevirtualhost.erb": "fbfca19a639e18e6c477e191344ac8ae",
"templates/ports_header.erb": "afe35cb5747574b700ebaa0f0b3a626e",
"templates/vhost/_access_log.erb": "522414033856b19a50a7ebb1c729438a",
"templates/vhost/_action.erb": "a004dfcac2e63cef65cf8aa0e270b636",
"templates/vhost/_additional_includes.erb": "10e9c0056e962c49459839a1576b082e",
"templates/vhost/_aliases.erb": "6412f695e911feac18986da38f290dae",
"templates/vhost/_allow_encoded_slashes.erb": "37dee0b6fe9287342a10b533955dff81",
"templates/vhost/_auth_cas.erb": "96fb19c558e7e187fe9160f00f39061c",
"templates/vhost/_auth_kerb.erb": "3d0de0c3066440dffcbc75215174705b",
"templates/vhost/_block.erb": "8fa2f970222dbc0a38898b5a0ab80411",
"templates/vhost/_charsets.erb": "d152b6a7815e9edc0fe9bf9acbe2f1ec",
"templates/vhost/_custom_fragment.erb": "325ff48cefc06db035daa3491c391a88",
"templates/vhost/_directories.erb": "f981420e239cc4a615ccb9a7852b37f4",
"templates/vhost/_docroot.erb": "65d882a3c9d6b6bdd2f9b771f378035a",
"templates/vhost/_error_document.erb": "81d3007c1301a5c5f244c082cfee9de2",
"templates/vhost/_fallbackresource.erb": "e6c103bee7f6f76b10f244fc9fd1cd3b",
"templates/vhost/_fastcgi.erb": "e6d743e11b776e155dc4f80c602fb7e1",
"templates/vhost/_file_footer.erb": "e27b2525783e590ca1820f1e2118285d",
"templates/vhost/_file_header.erb": "7c3c04eb4ac67403604113e2628696cf",
"templates/vhost/_filters.erb": "597b9de5ae210af9182a1c95172115e7",
"templates/vhost/_header.erb": "9eb9d4075f288183d8224ddec5b2f126",
"templates/vhost/_itk.erb": "8bf90b9855a9277f7a665b10f6c57fe9",
"templates/vhost/_jk_mounts.erb": "ce997ee7b5602af04062cd5f785da345",
"templates/vhost/_keepalive_options.erb": "16876858bac1e55b13545866b0428d90",
"templates/vhost/_logging.erb": "5bc4cbb1bc8a292acc0ba0420f96ca4e",
"templates/vhost/_passenger.erb": "54089ef42f49bf8285d2d5ccdcba0699",
"templates/vhost/_passenger_base_uris.erb": "c8d7f4da1434078e856c72671942dcd8",
"templates/vhost/_php.erb": "a16a9f3e146ce463481205e083d4bf79",
"templates/vhost/_php_admin.erb": "107a57e9e7b3f86d1abcf743f672a292",
"templates/vhost/_proxy.erb": "18b9bbb791d248179a08eb36ab895e12",
"templates/vhost/_rack.erb": "ebe187c1bdc81eec9c8e0d9026120b18",
"templates/vhost/_redirect.erb": "2d40ece74203cc00b861a058db91962c",
"templates/vhost/_requestheader.erb": "db1b0cdda069ae809b5b83b0871ef991",
"templates/vhost/_require.erb": "8a90d4c632b65ae1d89c66220f73ee80",
"templates/vhost/_rewrite.erb": "b7858eac95352744196006b57d4091df",
"templates/vhost/_scriptalias.erb": "98713f33cca15b22c749bd35ea9a7b41",
"templates/vhost/_security.erb": "0ade536a9d25342e7128996add04be56",
"templates/vhost/_serveralias.erb": "95fed45853629924467aefc271d5b396",
"templates/vhost/_serversignature.erb": "9bf5a458783ab459e5043e1cdf671fa7",
"templates/vhost/_setenv.erb": "6e6a7efb1b168da9673c9e6d00eadec5",
"templates/vhost/_ssl.erb": "788b293b65736aead0007fe3bc52448b",
"templates/vhost/_sslproxy.erb": "c327d73e1669bde19a64e53109d4b57e",
"templates/vhost/_suexec.erb": "f2b3f9b9ff8fbac4e468e02cd824675a",
"templates/vhost/_suphp.erb": "a1c4a5e4461adbfce870df0abd158b59",
"templates/vhost/_wsgi.erb": "8ae86dff3014767479a71441b0e6536e"
}

6
modules/services/unix/http/apache_wheezy/examples/apache.pp Normal file
View File

@@ -0,0 +1,6 @@
include ::apache
include ::apache::mod::php
include ::apache::mod::cgi
include ::apache::mod::userdir
include ::apache::mod::disk_cache
include ::apache::mod::proxy_http

1
modules/services/unix/http/apache_wheezy/examples/dev.pp Normal file
View File

@@ -0,0 +1 @@
include ::apache::mod::dev

1
modules/services/unix/http/apache_wheezy/examples/init.pp Normal file
View File

@@ -0,0 +1 @@
include ::apache

11
modules/services/unix/http/apache_wheezy/examples/mod_load_params.pp Normal file
View File

@@ -0,0 +1,11 @@
# Tests the path and identifier parameters for the apache::mod class
# Base class for clarity:
class { '::apache': }
# Exaple parameter usage:
apache::mod { 'testmod':
path => '/usr/some/path/mod_testmod.so',
id => 'testmod_custom_name',
}

9
modules/services/unix/http/apache_wheezy/examples/mods.pp Normal file
View File

@@ -0,0 +1,9 @@
## Default mods
# Base class. Declares default vhost on port 80 and default ssl
# vhost on port 443 listening on all interfaces and serving
# $apache::docroot, and declaring our default set of modules.
class { '::apache':
default_mods => true,
}

16
modules/services/unix/http/apache_wheezy/examples/mods_custom.pp Normal file
View File

@@ -0,0 +1,16 @@
## custom mods
# Base class. Declares default vhost on port 80 and default ssl
# vhost on port 443 listening on all interfaces and serving
# $apache::docroot, and declaring a custom set of modules.
class { '::apache':
default_mods => [
'info',
'alias',
'mime',
'env',
'setenv',
'expires',
],
}

4
modules/services/unix/http/apache_wheezy/examples/php.pp Normal file
View File

@@ -0,0 +1,4 @@
class { '::apache':
mpm_module => 'prefork',
}
include ::apache::mod::php

261
modules/services/unix/http/apache_wheezy/examples/vhost.pp Normal file
View File

@@ -0,0 +1,261 @@
## Default vhosts, and custom vhosts
# NB: Please see the other vhost_*.pp example files for further
# examples.
# Base class. Declares default vhost on port 80 and default ssl
# vhost on port 443 listening on all interfaces and serving
# $apache::docroot
class { '::apache': }
# Most basic vhost
apache::vhost { 'first.example.com':
port => '80',
docroot => '/var/www/first',
}
# Vhost with different docroot owner/group/mode
apache::vhost { 'second.example.com':
port => '80',
docroot => '/var/www/second',
docroot_owner => 'third',
docroot_group => 'third',
docroot_mode => '0770',
}
# Vhost with serveradmin
apache::vhost { 'third.example.com':
port => '80',
docroot => '/var/www/third',
serveradmin => 'admin@example.com',
}
# Vhost with ssl (uses default ssl certs)
apache::vhost { 'ssl.example.com':
port => '443',
docroot => '/var/www/ssl',
ssl => true,
}
# Vhost with ssl and specific ssl certs
apache::vhost { 'fourth.example.com':
port => '443',
docroot => '/var/www/fourth',
ssl => true,
ssl_cert => '/etc/ssl/fourth.example.com.cert',
ssl_key => '/etc/ssl/fourth.example.com.key',
}
# Vhost with english title and servername parameter
apache::vhost { 'The fifth vhost':
servername => 'fifth.example.com',
port => '80',
docroot => '/var/www/fifth',
}
# Vhost with server aliases
apache::vhost { 'sixth.example.com':
serveraliases => [
'sixth.example.org',
'sixth.example.net',
],
port => '80',
docroot => '/var/www/fifth',
}
# Vhost with alternate options
apache::vhost { 'seventh.example.com':
port => '80',
docroot => '/var/www/seventh',
options => [
'Indexes',
'MultiViews',
],
}
# Vhost with AllowOverride for .htaccess
apache::vhost { 'eighth.example.com':
port => '80',
docroot => '/var/www/eighth',
override => 'All',
}
# Vhost with access and error logs disabled
apache::vhost { 'ninth.example.com':
port => '80',
docroot => '/var/www/ninth',
access_log => false,
error_log => false,
}
# Vhost with custom access and error logs and logroot
apache::vhost { 'tenth.example.com':
port => '80',
docroot => '/var/www/tenth',
access_log_file => 'tenth_vhost.log',
error_log_file => 'tenth_vhost_error.log',
logroot => '/var/log',
}
# Vhost with a cgi-bin
apache::vhost { 'eleventh.example.com':
port => '80',
docroot => '/var/www/eleventh',
scriptalias => '/usr/lib/cgi-bin',
}
# Vhost with a proxypass configuration
apache::vhost { 'twelfth.example.com':
port => '80',
docroot => '/var/www/twelfth',
proxy_dest => 'http://internal.example.com:8080/twelfth',
no_proxy_uris => ['/login','/logout'],
}
# Vhost to redirect /login and /logout
apache::vhost { 'thirteenth.example.com':
port => '80',
docroot => '/var/www/thirteenth',
redirect_source => [
'/login',
'/logout',
],
redirect_dest => [
'http://10.0.0.10/login',
'http://10.0.0.10/logout',
],
}
# Vhost to permamently redirect
apache::vhost { 'fourteenth.example.com':
port => '80',
docroot => '/var/www/fourteenth',
redirect_source => '/blog',
redirect_dest => 'http://blog.example.com',
redirect_status => 'permanent',
}
# Vhost with a rack configuration
apache::vhost { 'fifteenth.example.com':
port => '80',
docroot => '/var/www/fifteenth',
rack_base_uris => ['/rackapp1', '/rackapp2'],
}
# Vhost to redirect non-ssl to ssl
apache::vhost { 'sixteenth.example.com non-ssl':
servername => 'sixteenth.example.com',
port => '80',
docroot => '/var/www/sixteenth',
rewrites => [
{
comment => 'redirect non-SSL traffic to SSL site',
rewrite_cond => ['%{HTTPS} off'],
rewrite_rule => ['(.*) https://%{HTTP_HOST}%{REQUEST_URI}'],
}
],
}
# Rewrite a URL to lower case
apache::vhost { 'sixteenth.example.com non-ssl':
servername => 'sixteenth.example.com',
port => '80',
docroot => '/var/www/sixteenth',
rewrites => [
{ comment => 'Rewrite to lower case',
rewrite_cond => ['%{REQUEST_URI} [A-Z]'],
rewrite_map => ['lc int:tolower'],
rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'],
}
],
}
apache::vhost { 'sixteenth.example.com ssl':
servername => 'sixteenth.example.com',
port => '443',
docroot => '/var/www/sixteenth',
ssl => true,
}
# Vhost to redirect non-ssl to ssl using old rewrite method
apache::vhost { 'sixteenth.example.com non-ssl old rewrite':
servername => 'sixteenth.example.com',
port => '80',
docroot => '/var/www/sixteenth',
rewrite_cond => '%{HTTPS} off',
rewrite_rule => '(.*) https://%{HTTP_HOST}%{REQUEST_URI}',
}
apache::vhost { 'sixteenth.example.com ssl old rewrite':
servername => 'sixteenth.example.com',
port => '443',
docroot => '/var/www/sixteenth',
ssl => true,
}
# Vhost to block repository files
apache::vhost { 'seventeenth.example.com':
port => '80',
docroot => '/var/www/seventeenth',
block => 'scm',
}
# Vhost with special environment variables
apache::vhost { 'eighteenth.example.com':
port => '80',
docroot => '/var/www/eighteenth',
setenv => ['SPECIAL_PATH /foo/bin','KILROY was_here'],
}
apache::vhost { 'nineteenth.example.com':
port => '80',
docroot => '/var/www/nineteenth',
setenvif => 'Host "^([^\.]*)\.website\.com$" CLIENT_NAME=$1',
}
# Vhost with additional include files
apache::vhost { 'twentyieth.example.com':
port => '80',
docroot => '/var/www/twelfth',
additional_includes => ['/tmp/proxy_group_a','/tmp/proxy_group_b'],
}
# Vhost with alias for subdomain mapped to same named directory
# http://example.com.loc => /var/www/example.com
apache::vhost { 'subdomain.loc':
vhost_name => '*',
port => '80',
virtual_docroot => '/var/www/%-2+',
docroot => '/var/www',
serveraliases => ['*.loc',],
}
# Vhost with SSLProtocol,SSLCipherSuite, SSLHonorCipherOrder
apache::vhost { 'securedomain.com':
priority => '10',
vhost_name => 'www.securedomain.com',
port => '443',
docroot => '/var/www/secure',
ssl => true,
ssl_cert => '/etc/ssl/securedomain.cert',
ssl_key => '/etc/ssl/securedomain.key',
ssl_chain => '/etc/ssl/securedomain.crt',
ssl_protocol => '-ALL +TLSv1',
ssl_cipher => 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM',
ssl_honorcipherorder => 'On',
add_listen => false,
}
# Vhost with access log environment variables writing control
apache::vhost { 'twentyfirst.example.com':
port => '80',
docroot => '/var/www/twentyfirst',
access_log_env_var => 'admin',
}
# Vhost with a passenger_base configuration
apache::vhost { 'twentysecond.example.com':
port => '80',
docroot => '/var/www/twentysecond',
rack_base_uris => ['/passengerapp1', '/passengerapp2'],
}

44
modules/services/unix/http/apache_wheezy/examples/vhost_directories.pp Normal file
View File

@@ -0,0 +1,44 @@
# Base class. Declares default vhost on port 80 and default ssl
# vhost on port 443 listening on all interfaces and serving
# $apache::docroot
class { '::apache': }
# Example from README adapted.
apache::vhost { 'readme.example.net':
docroot => '/var/www/readme',
directories => [
{
'path' => '/var/www/readme',
'ServerTokens' => 'prod' ,
},
{
'path' => '/usr/share/empty',
'allow' => 'from all',
},
],
}
# location test
apache::vhost { 'location.example.net':
docroot => '/var/www/location',
directories => [
{
'path' => '/location',
'provider' => 'location',
'ServerTokens' => 'prod'
},
],
}
# files test, curedly disable access to accidental backup files.
apache::vhost { 'files.example.net':
docroot => '/var/www/files',
directories => [
{
'path' => '(\.swp|\.bak|~)$',
'provider' => 'filesmatch',
'deny' => 'from all'
},
],
}

17
modules/services/unix/http/apache_wheezy/examples/vhost_filter.pp Normal file
View File

@@ -0,0 +1,17 @@
# Base class. Declares default vhost on port 80 with filters.
class { '::apache': }
# Example from README adapted.
apache::vhost { 'readme.example.net':
docroot => '/var/www/html',
filters => [
'FilterDeclare COMPRESS',
'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html',
'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css',
'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain',
'FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml',
'FilterChain COMPRESS',
'FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no',
],
}

25
modules/services/unix/http/apache_wheezy/examples/vhost_ip_based.pp Normal file
View File

@@ -0,0 +1,25 @@
## IP-based vhosts on any listen port
# IP-based vhosts respond to requests on specific IP addresses.
# Base class. Turn off the default vhosts; we will be declaring
# all vhosts below.
class { '::apache':
default_vhost => false,
}
# Listen on port 80 and 81; required because the following vhosts
# are not declared with a port parameter.
apache::listen { '80': }
apache::listen { '81': }
# IP-based vhosts
apache::vhost { 'first.example.com':
ip => '10.0.0.10',
docroot => '/var/www/first',
ip_based => true,
}
apache::vhost { 'second.example.com':
ip => '10.0.0.11',
docroot => '/var/www/second',
ip_based => true,
}

66
modules/services/unix/http/apache_wheezy/examples/vhost_proxypass.pp Normal file
View File

@@ -0,0 +1,66 @@
## vhost with proxyPass directive
# NB: Please see the other vhost_*.pp example files for further
# examples.
# Base class. Declares default vhost on port 80 and default ssl
# vhost on port 443 listening on all interfaces and serving
# $apache::docroot
class { '::apache': }
# Most basic vhost with proxy_pass
apache::vhost { 'first.example.com':
port => 80,
docroot => '/var/www/first',
proxy_pass => [
{
'path' => '/first',
'url' => 'http://localhost:8080/first'
},
],
}
# vhost with proxy_pass and parameters
apache::vhost { 'second.example.com':
port => 80,
docroot => '/var/www/second',
proxy_pass => [
{
'path' => '/second',
'url' => 'http://localhost:8080/second',
'params' => {
'retry' => '0',
'timeout' => '5',
}
},
],
}
# vhost with proxy_pass and keywords
apache::vhost { 'third.example.com':
port => 80,
docroot => '/var/www/third',
proxy_pass => [
{
'path' => '/third',
'url' => 'http://localhost:8080/third',
'keywords' => ['noquery', 'interpolate']
},
],
}
# vhost with proxy_pass, parameters and keywords
apache::vhost { 'fourth.example.com':
port => 80,
docroot => '/var/www/fourth',
proxy_pass => [
{
'path' => '/fourth',
'url' => 'http://localhost:8080/fourth',
'params' => {
'retry' => '0',
'timeout' => '5',
},
'keywords' => ['noquery', 'interpolate']
},
],
}

23
modules/services/unix/http/apache_wheezy/examples/vhost_ssl.pp Normal file
View File

@@ -0,0 +1,23 @@
## SSL-enabled vhosts
# SSL-enabled vhosts respond only to HTTPS queries.
# Base class. Turn off the default vhosts; we will be declaring
# all vhosts below.
class { '::apache':
default_vhost => false,
}
# Non-ssl vhost
apache::vhost { 'first.example.com non-ssl':
servername => 'first.example.com',
port => '80',
docroot => '/var/www/first',
}
# SSL vhost at the same domain
apache::vhost { 'first.example.com ssl':
servername => 'first.example.com',
port => '443',
docroot => '/var/www/first',
ssl => true,
}

53
modules/services/unix/http/apache_wheezy/examples/vhosts_without_listen.pp Normal file
View File

@@ -0,0 +1,53 @@
## Declare ip-based and name-based vhosts
# Mixing Name-based vhost with IP-specific vhosts requires `add_listen =>
# 'false'` on the non-IP vhosts
# Base class. Turn off the default vhosts; we will be declaring
# all vhosts below.
class { '::apache':
default_vhost => false,
}
# Add two an IP-based vhost on 10.0.0.10, ssl and non-ssl
apache::vhost { 'The first IP-based vhost, non-ssl':
servername => 'first.example.com',
ip => '10.0.0.10',
port => '80',
ip_based => true,
docroot => '/var/www/first',
}
apache::vhost { 'The first IP-based vhost, ssl':
servername => 'first.example.com',
ip => '10.0.0.10',
port => '443',
ip_based => true,
docroot => '/var/www/first-ssl',
ssl => true,
}
# Two name-based vhost listening on 10.0.0.20
apache::vhost { 'second.example.com':
ip => '10.0.0.20',
port => '80',
docroot => '/var/www/second',
}
apache::vhost { 'third.example.com':
ip => '10.0.0.20',
port => '80',
docroot => '/var/www/third',
}
# Two name-based vhosts without IPs specified, so that they will answer on either 10.0.0.10 or 10.0.0.20 . It is requried to declare
# `add_listen => 'false'` to disable declaring "Listen 80" which will conflict
# with the IP-based preceeding vhosts.
apache::vhost { 'fourth.example.com':
port => '80',
docroot => '/var/www/fourth',
add_listen => false,
}
apache::vhost { 'fifth.example.com':
port => '80',
docroot => '/var/www/fifth',
add_listen => false,
}

24
modules/services/unix/http/apache_wheezy/files/httpd Normal file
View File

@@ -0,0 +1,24 @@
# Configuration file for the httpd service.
#
# The default processing model (MPM) is the process-based
# 'prefork' model. A thread-based model, 'worker', is also
# available, but does not work with some modules (such as PHP).
# The service must be stopped before changing this variable.
#
#HTTPD=/usr/sbin/httpd.worker
#
# To pass additional options (for instance, -D definitions) to the
# httpd binary at startup, set OPTIONS here.
#
#OPTIONS=
#OPTIONS=-DDOWN
#
# By default, the httpd process is started in the C locale; to
# change the locale in which the server runs, the HTTPD_LANG
# variable can be set.
#
#HTTPD_LANG=C
export SHORTHOST=`hostname -s`

13
modules/services/unix/http/apache_wheezy/lib/facter/apache_version.rb Normal file
View File

@@ -0,0 +1,13 @@
Facter.add(:apache_version) do
setcode do
if Facter::Util::Resolution.which('apachectl')
apache_version = Facter::Util::Resolution.exec('apachectl -v 2>&1')
Facter.debug "Matching apachectl '#{apache_version}'"
%r{^Server version: Apache\/(\d+.\d+(.\d+)?)}.match(apache_version)[1]
elsif Facter::Util::Resolution.which('apache2ctl')
apache_version = Facter::Util::Resolution.exec('apache2ctl -v 2>&1')
Facter.debug "Matching apache2ctl '#{apache_version}'"
%r{^Server version: Apache\/(\d+.\d+(.\d+)?)}.match(apache_version)[1]
end
end
end

30
modules/services/unix/http/apache_wheezy/lib/puppet/parser/functions/bool2httpd.rb Normal file
View File

@@ -0,0 +1,30 @@
Puppet::Parser::Functions::newfunction(:bool2httpd, :type => :rvalue, :doc => <<-EOS
Transform a supposed boolean to On or Off. Pass all other values through.
Given a nil value (undef), bool2httpd will return 'Off'
Example:
$trace_enable = false
$server_signature = 'mail'
bool2httpd($trace_enable)
# => 'Off'
bool2httpd($server_signature)
# => 'mail'
bool2httpd(undef)
# => 'Off'
EOS
) do |args|
raise(Puppet::ParseError, "bool2httpd() wrong number of arguments. Given: #{args.size} for 1)") if args.size != 1
arg = args[0]
if arg.nil? or arg == false or arg =~ /false/i or arg == :undef
return 'Off'
elsif arg == true or arg =~ /true/i
return 'On'
end
return arg.to_s
end

45
modules/services/unix/http/apache_wheezy/lib/puppet/parser/functions/enclose_ipv6.rb Normal file
View File

@@ -0,0 +1,45 @@
#
# enclose_ipv6.rb
#
module Puppet::Parser::Functions
newfunction(:enclose_ipv6, :type => :rvalue, :doc => <<-EOS
Takes an array of ip addresses and encloses the ipv6 addresses with square brackets.
EOS
) do |arguments|
require 'ipaddr'
rescuable_exceptions = [ ArgumentError ]
if defined?(IPAddr::InvalidAddressError)
rescuable_exceptions << IPAddr::InvalidAddressError
end
if (arguments.size != 1) then
raise(Puppet::ParseError, "enclose_ipv6(): Wrong number of arguments "+
"given #{arguments.size} for 1")
end
unless arguments[0].is_a?(String) or arguments[0].is_a?(Array) then
raise(Puppet::ParseError, "enclose_ipv6(): Wrong argument type "+
"given #{arguments[0].class} expected String or Array")
end
input = [arguments[0]].flatten.compact
result = []
input.each do |val|
unless val == '*'
begin
ip = IPAddr.new(val)
rescue *rescuable_exceptions
raise(Puppet::ParseError, "enclose_ipv6(): Wrong argument "+
"given #{val} is not an ip address.")
end
val = "[#{ip.to_s}]" if ip.ipv6?
end
result << val
end
return result.uniq
end
end

27
modules/services/unix/http/apache_wheezy/lib/puppet/parser/functions/validate_apache_log_level.rb Normal file
View File

@@ -0,0 +1,27 @@
module Puppet::Parser::Functions
newfunction(:validate_apache_log_level, :doc => <<-'ENDHEREDOC') do |args|
Perform simple validation of a string against the list of known log
levels as per http://httpd.apache.org/docs/current/mod/core.html#loglevel
validate_apache_loglevel('info')
Modules maybe specified with their own levels like these:
validate_apache_loglevel('warn ssl:info')
validate_apache_loglevel('warn mod_ssl.c:info')
validate_apache_loglevel('warn ssl_module:info')
Expected to be used from the main or vhost.
Might be used from directory too later as apaceh supports that
ENDHEREDOC
if (args.size != 1) then
raise Puppet::ParseError, ("validate_apache_loglevel(): wrong number of arguments (#{args.length}; must be 1)")
end
log_level = args[0]
msg = "Log level '${log_level}' is not one of the supported Apache HTTP Server log levels."
raise Puppet::ParseError, (msg) unless log_level =~ Regexp.compile('(emerg|alert|crit|error|warn|notice|info|debug|trace[1-8])')
end
end

34
modules/services/unix/http/apache_wheezy/lib/puppet/provider/a2mod.rb Normal file
View File

@@ -0,0 +1,34 @@
class Puppet::Provider::A2mod < Puppet::Provider
def self.prefetch(mods)
instances.each do |prov|
if mod = mods[prov.name]
mod.provider = prov
end
end
end
def flush
@property_hash.clear
end
def properties
if @property_hash.empty?
@property_hash = query || {:ensure => :absent}
@property_hash[:ensure] = :absent if @property_hash.empty?
end
@property_hash.dup
end
def query
self.class.instances.each do |mod|
if mod.name == self.name or mod.name.downcase == self.name
return mod.properties
end
end
nil
end
def exists?
properties[:ensure] != :absent
end
end

35
modules/services/unix/http/apache_wheezy/lib/puppet/provider/a2mod/a2mod.rb Normal file
View File

@@ -0,0 +1,35 @@
require 'puppet/provider/a2mod'
Puppet::Type.type(:a2mod).provide(:a2mod, :parent => Puppet::Provider::A2mod) do
desc "Manage Apache 2 modules on Debian and Ubuntu"
optional_commands :encmd => "a2enmod"
optional_commands :discmd => "a2dismod"
commands :apache2ctl => "apache2ctl"
confine :osfamily => :debian
defaultfor :operatingsystem => [:debian, :ubuntu]
def self.instances
modules = apache2ctl("-M").lines.collect { |line|
m = line.match(/(\w+)_module \(shared\)$/)
m[1] if m
}.compact
modules.map do |mod|
new(
:name => mod,
:ensure => :present,
:provider => :a2mod
)
end
end
def create
encmd resource[:name]
end
def destroy
discmd resource[:name]
end
end

116
modules/services/unix/http/apache_wheezy/lib/puppet/provider/a2mod/gentoo.rb Normal file
View File

@@ -0,0 +1,116 @@
require 'puppet/util/filetype'
Puppet::Type.type(:a2mod).provide(:gentoo, :parent => Puppet::Provider) do
desc "Manage Apache 2 modules on Gentoo"
confine :operatingsystem => :gentoo
defaultfor :operatingsystem => :gentoo
attr_accessor :property_hash
def create
@property_hash[:ensure] = :present
end
def exists?
(!(@property_hash[:ensure].nil?) and @property_hash[:ensure] == :present)
end
def destroy
@property_hash[:ensure] = :absent
end
def flush
self.class.flush
end
class << self
attr_reader :conf_file
end
def self.clear
@mod_resources = []
@modules = []
@other_args = ""
end
def self.initvars
@conf_file = "/etc/conf.d/apache2"
@filetype = Puppet::Util::FileType.filetype(:flat).new(conf_file)
@mod_resources = []
@modules = []
@other_args = ""
end
self.initvars
# Retrieve an array of all existing modules
def self.modules
if @modules.length <= 0
# Locate the APACHE_OPTS variable
records = filetype.read.split(/\n/)
apache2_opts = records.grep(/^\s*APACHE2_OPTS=/).first
# Extract all defines
while apache2_opts.sub!(/-D\s+(\w+)/, '')
@modules << $1.downcase
end
# Hang on to any remaining options.
if apache2_opts.match(/APACHE2_OPTS="(.+)"/)
@other_args = $1.strip
end
@modules.sort!.uniq!
end
@modules
end
def self.prefetch(resources={})
# Match resources with existing providers
instances.each do |provider|
if resource = resources[provider.name]
resource.provider = provider
end
end
# Store all resources using this provider for flushing
resources.each do |name, resource|
@mod_resources << resource
end
end
def self.instances
modules.map {|mod| new(:name => mod, :provider => :gentoo, :ensure => :present)}
end
def self.flush
mod_list = modules
mods_to_remove = @mod_resources.select {|mod| mod.should(:ensure) == :absent}.map {|mod| mod[:name]}
mods_to_add = @mod_resources.select {|mod| mod.should(:ensure) == :present}.map {|mod| mod[:name]}
mod_list -= mods_to_remove
mod_list += mods_to_add
mod_list.sort!.uniq!
if modules != mod_list
opts = @other_args + " "
opts << mod_list.map {|mod| "-D #{mod.upcase}"}.join(" ")
opts.strip!
opts.gsub!(/\s+/, ' ')
apache2_opts = %Q{APACHE2_OPTS="#{opts}"}
Puppet.debug("Writing back \"#{apache2_opts}\" to #{conf_file}")
records = filetype.read.split(/\n/)
opts_index = records.find_index {|i| i.match(/^\s*APACHE2_OPTS/)}
records[opts_index] = apache2_opts
filetype.backup
filetype.write(records.join("\n"))
@modules = mod_list
end
end
end

12
modules/services/unix/http/apache_wheezy/lib/puppet/provider/a2mod/modfix.rb Normal file
View File

@@ -0,0 +1,12 @@
Puppet::Type.type(:a2mod).provide :modfix do
desc "Dummy provider for A2mod.
Fake nil resources when there is no crontab binary available. Allows
puppetd to run on a bootstrapped machine before a Cron package has been
installed. Workaround for: http://projects.puppetlabs.com/issues/2384
"
def self.instances
[]
end
end

60
modules/services/unix/http/apache_wheezy/lib/puppet/provider/a2mod/redhat.rb Normal file
View File

@@ -0,0 +1,60 @@
require 'puppet/provider/a2mod'
Puppet::Type.type(:a2mod).provide(:redhat, :parent => Puppet::Provider::A2mod) do
desc "Manage Apache 2 modules on RedHat family OSs"
commands :apachectl => "apachectl"
confine :osfamily => :redhat
defaultfor :osfamily => :redhat
require 'pathname'
# modpath: Path to default apache modules directory /etc/httpd/mod.d
# modfile: Path to module load configuration file; Default: resides under modpath directory
# libfile: Path to actual apache module library. Added in modfile LoadModule
attr_accessor :modfile, :libfile
class << self
attr_accessor :modpath
def preinit
@modpath = "/etc/httpd/mod.d"
end
end
self.preinit
def create
File.open(modfile,'w') do |f|
f.puts "LoadModule #{resource[:identifier]} #{libfile}"
end
end
def destroy
File.delete(modfile)
end
def self.instances
modules = apachectl("-M").lines.collect { |line|
m = line.match(/(\w+)_module \(shared\)$/)
m[1] if m
}.compact
modules.map do |mod|
new(
:name => mod,
:ensure => :present,
:provider => :redhat
)
end
end
def modfile
modfile ||= "#{self.class.modpath}/#{resource[:name]}.load"
end
# Set libfile path: If absolute path is passed, then maintain it. Else, make it default from 'modules' dir.
def libfile
libfile = Pathname.new(resource[:lib]).absolute? ? resource[:lib] : "modules/#{resource[:lib]}"
end
end

30
modules/services/unix/http/apache_wheezy/lib/puppet/type/a2mod.rb Normal file
View File

@@ -0,0 +1,30 @@
Puppet::Type.newtype(:a2mod) do
@doc = "Manage Apache 2 modules"
ensurable
newparam(:name) do
Puppet.warning "The a2mod provider is deprecated, please use apache::mod instead"
desc "The name of the module to be managed"
isnamevar
end
newparam(:lib) do
desc "The name of the .so library to be loaded"
defaultto { "mod_#{@resource[:name]}.so" }
end
newparam(:identifier) do
desc "Module identifier string used by LoadModule. Default: module-name_module"
# http://httpd.apache.org/docs/2.2/mod/module-dict.html#ModuleIdentifier
defaultto { "#{resource[:name]}_module" }
end
autorequire(:package) { catalog.resource(:package, 'httpd')}
end

97
modules/services/unix/http/apache_wheezy/manifests/balancer.pp Normal file
View File

@@ -0,0 +1,97 @@
# == Define Resource Type: apache::balancer
#
# This type will create an apache balancer cluster file inside the conf.d
# directory. Each balancer cluster needs one or more balancer members (that can
# be declared with the apache::balancermember defined resource type). Using
# storeconfigs, you can export the apache::balancermember resources on all
# balancer members, and then collect them on a single apache load balancer
# server.
#
# === Requirement/Dependencies:
#
# Currently requires the puppetlabs/concat module on the Puppet Forge and uses
# storeconfigs on the Puppet Master to export/collect resources from all
# balancer members.
#
# === Parameters
#
# [*name*]
# The namevar of the defined resource type is the balancer clusters name.
# This name is also used in the name of the conf.d file
#
# [*proxy_set*]
# Hash, default empty. If given, each key-value pair will be used as a ProxySet
# line in the configuration.
#
# [*target*]
# String, default undef. If given, path to the file the balancer definition will
# be written.
#
# [*collect_exported*]
# Boolean, default 'true'. True means 'collect exported @@balancermember
# resources' (for the case when every balancermember node exports itself),
# false means 'rely on the existing declared balancermember resources' (for the
# case when you know the full set of balancermembers in advance and use
# apache::balancermember with array arguments, which allows you to deploy
# everything in 1 run)
#
#
# === Examples
#
# Exporting the resource for a balancer member:
#
# apache::balancer { 'puppet00': }
#
define apache::balancer (
$proxy_set = {},
$collect_exported = true,
$target = undef,
) {
include ::apache::mod::proxy_balancer
if versioncmp($apache::mod::proxy_balancer::apache_version, '2.4') >= 0 {
$lbmethod = $proxy_set['lbmethod'] ? {
undef => 'byrequests',
default => $proxy_set['lbmethod'],
}
ensure_resource('apache::mod', "lbmethod_${lbmethod}")
}
if $target {
$_target = $target
} else {
$_target = "${::apache::confd_dir}/balancer_${name}.conf"
}
concat { "apache_balancer_${name}":
owner => '0',
group => '0',
path => $_target,
mode => $::apache::file_mode,
notify => Class['Apache::Service'],
}
concat::fragment { "00-${name}-header":
target => "apache_balancer_${name}",
order => '01',
content => "<Proxy balancer://${name}>\n",
}
if $collect_exported {
Apache::Balancermember <<| balancer_cluster == $name |>>
}
# else: the resources have been created and they introduced their
# concat fragments. We don't have to do anything about them.
concat::fragment { "01-${name}-proxyset":
target => "apache_balancer_${name}",
order => '19',
content => inline_template("<% @proxy_set.keys.sort.each do |key| %> Proxyset <%= key %>=<%= @proxy_set[key] %>\n<% end %>"),
}
concat::fragment { "01-${name}-footer":
target => "apache_balancer_${name}",
order => '20',
content => "</Proxy>\n",
}
}

52
modules/services/unix/http/apache_wheezy/manifests/balancermember.pp Normal file
View File

@@ -0,0 +1,52 @@
# == Define Resource Type: apache::balancermember
#
# This type will setup a balancer member inside a listening service
# configuration block in /etc/apache/apache.cfg on the load balancer.
# currently it only has the ability to specify the instance name, url and an
# array of options. More features can be added as needed. The best way to
# implement this is to export this resource for all apache balancer member
# servers, and then collect them on the main apache load balancer.
#
# === Requirement/Dependencies:
#
# Currently requires the puppetlabs/concat module on the Puppet Forge and
# uses storeconfigs on the Puppet Master to export/collect resources
# from all balancer members.
#
# === Parameters
#
# [*name*]
# The title of the resource is arbitrary and only utilized in the concat
# fragment name.
#
# [*balancer_cluster*]
# The apache service's instance name (or, the title of the apache::balancer
# resource). This must match up with a declared apache::balancer resource.
#
# [*url*]
# The url used to contact the balancer member server.
#
# [*options*]
# An array of options to be specified after the url.
#
# === Examples
#
# Exporting the resource for a balancer member:
#
# @@apache::balancermember { 'apache':
# balancer_cluster => 'puppet00',
# url => "ajp://${::fqdn}:8009"
# options => ['ping=5', 'disablereuse=on', 'retry=5', 'ttl=120'],
# }
#
define apache::balancermember(
$balancer_cluster,
$url = "http://${::fqdn}/",
$options = [],
) {
concat::fragment { "BalancerMember ${name}":
target => "apache_balancer_${balancer_cluster}",
content => inline_template(" BalancerMember ${url} <%= @options.join ' ' %>\n"),
}
}

10
modules/services/unix/http/apache_wheezy/manifests/confd/no_accf.pp Normal file
View File

@@ -0,0 +1,10 @@
class apache::confd::no_accf {
# Template uses no variables
file { 'no-accf.conf':
ensure => 'file',
path => "${::apache::confd_dir}/no-accf.conf",
content => template('apache/confd/no-accf.conf.erb'),
require => Exec["mkdir ${::apache::confd_dir}"],
before => File[$::apache::confd_dir],
}
}

73
modules/services/unix/http/apache_wheezy/manifests/custom_config.pp Normal file
View File

@@ -0,0 +1,73 @@
# See README.md for usage information
define apache::custom_config (
$ensure = 'present',
$confdir = $::apache::confd_dir,
$content = undef,
$priority = '25',
$source = undef,
$verify_command = $::apache::params::verify_command,
$verify_config = true,
$filename = undef,
) {
if $content and $source {
fail('Only one of $content and $source can be specified.')
}
if $ensure == 'present' and ! $content and ! $source {
fail('One of $content and $source must be specified.')
}
validate_re($ensure, '^(present|absent)$',
"${ensure} is not supported for ensure.
Allowed values are 'present' and 'absent'.")
validate_bool($verify_config)
if $filename {
$_filename = $filename
} else {
if $priority {
$priority_prefix = "${priority}-"
} else {
$priority_prefix = ''
}
## Apache include does not always work with spaces in the filename
$filename_middle = regsubst($name, ' ', '_', 'G')
$_filename = "${priority_prefix}${filename_middle}.conf"
}
if ! $verify_config or $ensure == 'absent' {
$notifies = Class['Apache::Service']
} else {
$notifies = undef
}
file { "apache_${name}":
ensure => $ensure,
path => "${confdir}/${_filename}",
content => $content,
source => $source,
require => Package['httpd'],
notify => $notifies,
}
if $ensure == 'present' and $verify_config {
exec { "syntax verification for ${name}":
command => $verify_command,
subscribe => File["apache_${name}"],
refreshonly => true,
notify => Class['Apache::Service'],
before => Exec["remove ${name} if invalid"],
require => Anchor['::apache::modules_set_up'],
}
exec { "remove ${name} if invalid":
command => "/bin/rm ${confdir}/${_filename}",
unless => $verify_command,
subscribe => File["apache_${name}"],
refreshonly => true,
}
}
}

15
modules/services/unix/http/apache_wheezy/manifests/default_confd_files.pp Normal file
View File

@@ -0,0 +1,15 @@
class apache::default_confd_files (
$all = true,
) {
# The rest of the conf.d/* files only get loaded if we want them
if $all {
case $::osfamily {
'freebsd': {
include ::apache::confd::no_accf
}
default: {
# do nothing
}
}
}
}

179
modules/services/unix/http/apache_wheezy/manifests/default_mods.pp Normal file
View File

@@ -0,0 +1,179 @@
class apache::default_mods (
$all = true,
$mods = undef,
$apache_version = $::apache::apache_version,
$use_systemd = $::apache::use_systemd,
) {
# These are modules required to run the default configuration.
# They are not configurable at this time, so we just include
# them to make sure it works.
case $::osfamily {
'redhat': {
::apache::mod { 'log_config': }
if versioncmp($apache_version, '2.4') >= 0 {
# Lets fork it
# Do not try to load mod_systemd on RHEL/CentOS 6 SCL.
if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon') ) {
if ($use_systemd) {
::apache::mod { 'systemd': }
}
}
::apache::mod { 'unixd': }
}
}
'freebsd': {
::apache::mod { 'log_config': }
::apache::mod { 'unixd': }
}
'Suse': {
::apache::mod { 'log_config': }
}
default: {}
}
case $::osfamily {
'gentoo': {}
default: {
::apache::mod { 'authz_host': }
}
}
# The rest of the modules only get loaded if we want all modules enabled
if $all {
case $::osfamily {
'debian': {
include ::apache::mod::authn_core
include ::apache::mod::reqtimeout
if versioncmp($apache_version, '2.4') < 0 {
::apache::mod { 'authn_alias': }
}
}
'redhat': {
include ::apache::mod::actions
include ::apache::mod::authn_core
include ::apache::mod::cache
include ::apache::mod::ext_filter
include ::apache::mod::mime
include ::apache::mod::mime_magic
include ::apache::mod::rewrite
include ::apache::mod::speling
include ::apache::mod::suexec
include ::apache::mod::version
include ::apache::mod::vhost_alias
::apache::mod { 'auth_digest': }
::apache::mod { 'authn_anon': }
::apache::mod { 'authn_dbm': }
::apache::mod { 'authz_dbm': }
::apache::mod { 'authz_owner': }
::apache::mod { 'expires': }
::apache::mod { 'include': }
::apache::mod { 'logio': }
::apache::mod { 'substitute': }
::apache::mod { 'usertrack': }
if versioncmp($apache_version, '2.4') < 0 {
::apache::mod { 'authn_alias': }
::apache::mod { 'authn_default': }
}
}
'freebsd': {
include ::apache::mod::actions
include ::apache::mod::authn_core
include ::apache::mod::cache
include ::apache::mod::disk_cache
include ::apache::mod::headers
include ::apache::mod::info
include ::apache::mod::mime_magic
include ::apache::mod::reqtimeout
include ::apache::mod::rewrite
include ::apache::mod::userdir
include ::apache::mod::version
include ::apache::mod::vhost_alias
include ::apache::mod::speling
include ::apache::mod::filter
::apache::mod { 'asis': }
::apache::mod { 'auth_digest': }
::apache::mod { 'auth_form': }
::apache::mod { 'authn_anon': }
::apache::mod { 'authn_dbm': }
::apache::mod { 'authn_socache': }
::apache::mod { 'authz_dbd': }
::apache::mod { 'authz_dbm': }
::apache::mod { 'authz_owner': }
::apache::mod { 'dumpio': }
::apache::mod { 'expires': }
::apache::mod { 'file_cache': }
::apache::mod { 'imagemap':}
::apache::mod { 'include': }
::apache::mod { 'logio': }
::apache::mod { 'request': }
::apache::mod { 'session': }
::apache::mod { 'unique_id': }
}
default: {}
}
case $::apache::mpm_module {
'prefork': {
include ::apache::mod::cgi
}
'worker': {
include ::apache::mod::cgid
}
default: {
# do nothing
}
}
include ::apache::mod::alias
include ::apache::mod::authn_file
include ::apache::mod::autoindex
include ::apache::mod::dav
include ::apache::mod::dav_fs
include ::apache::mod::deflate
include ::apache::mod::dir
include ::apache::mod::mime
include ::apache::mod::negotiation
include ::apache::mod::setenvif
::apache::mod { 'auth_basic': }
if versioncmp($apache_version, '2.4') >= 0 {
# filter is needed by mod_deflate
include ::apache::mod::filter
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
# lots of stuff seems to break without access_compat
::apache::mod { 'access_compat': }
} else {
include ::apache::mod::authz_default
}
include ::apache::mod::authz_user
::apache::mod { 'authz_groupfile': }
include ::apache::mod::env
} elsif $mods {
::apache::default_mods::load { $mods: }
if versioncmp($apache_version, '2.4') >= 0 {
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
# filter is needed by mod_deflate
include ::apache::mod::filter
}
} else {
if versioncmp($apache_version, '2.4') >= 0 {
# authz_core is needed for 'Require' directive
::apache::mod { 'authz_core':
id => 'authz_core_module',
}
# filter is needed by mod_deflate
include ::apache::mod::filter
}
}
}

8
modules/services/unix/http/apache_wheezy/manifests/default_mods/load.pp Normal file
View File

@@ -0,0 +1,8 @@
# private define
define apache::default_mods::load ($module = $title) {
if defined("apache::mod::${module}") {
include "::apache::mod::${module}"
} else {
::apache::mod { $module: }
}
}

14
modules/services/unix/http/apache_wheezy/manifests/dev.pp Normal file
View File

@@ -0,0 +1,14 @@
class apache::dev {
if ! defined(Class['apache']) {
fail('You must include the apache base class before using any apache defined resources')
}
$packages = $::apache::dev_packages
if $packages { # FreeBSD doesn't have dev packages to install
package { $packages:
ensure => present,
require => Package['httpd'],
}
}
}

29
modules/services/unix/http/apache_wheezy/manifests/fastcgi/server.pp Normal file
View File

@@ -0,0 +1,29 @@
define apache::fastcgi::server (
$host = '127.0.0.1:9000',
$timeout = 15,
$flush = false,
$faux_path = "/var/www/${name}.fcgi",
$fcgi_alias = "/${name}.fcgi",
$file_type = 'application/x-httpd-php',
$pass_header = undef,
) {
include ::apache::mod::fastcgi
Apache::Mod['fastcgi'] -> Apache::Fastcgi::Server[$title]
if is_absolute_path($host) {
$socket = $host
}
file { "fastcgi-pool-${name}.conf":
ensure => present,
path => "${::apache::confd_dir}/fastcgi-pool-${name}.conf",
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
content => template('apache/fastcgi/server.erb'),
require => Exec["mkdir ${::apache::confd_dir}"],
before => File[$::apache::confd_dir],
notify => Class['apache::service'],
}
}

398
modules/services/unix/http/apache_wheezy/manifests/init.pp Normal file
View File

@@ -0,0 +1,398 @@
# Class: apache
#
# This class installs Apache
#
# Parameters:
#
# Actions:
# - Install Apache
# - Manage Apache service
#
# Requires:
#
# Sample Usage:
#
class apache (
$apache_name = $::apache::params::apache_name,
$service_name = $::apache::params::service_name,
$default_mods = true,
$default_vhost = true,
$default_charset = undef,
$default_confd_files = true,
$default_ssl_vhost = false,
$default_ssl_cert = $::apache::params::default_ssl_cert,
$default_ssl_key = $::apache::params::default_ssl_key,
$default_ssl_chain = undef,
$default_ssl_ca = undef,
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$default_ssl_crl_check = undef,
$default_type = 'none',
$dev_packages = $::apache::params::dev_packages,
$ip = undef,
$service_enable = true,
$service_manage = true,
$service_ensure = 'running',
$service_restart = undef,
$purge_configs = false,
$purge_vhost_dir = undef,
$purge_vdir = false,
$serveradmin = 'root@localhost',
$sendfile = 'On',
$error_documents = false,
$timeout = '120',
$httpd_dir = $::apache::params::httpd_dir,
$server_root = $::apache::params::server_root,
$conf_dir = $::apache::params::conf_dir,
$confd_dir = $::apache::params::confd_dir,
$vhost_dir = $::apache::params::vhost_dir,
$vhost_enable_dir = $::apache::params::vhost_enable_dir,
$vhost_include_pattern = $::apache::params::vhost_include_pattern,
$mod_dir = $::apache::params::mod_dir,
$mod_enable_dir = $::apache::params::mod_enable_dir,
$mpm_module = $::apache::params::mpm_module,
$lib_path = $::apache::params::lib_path,
$conf_template = $::apache::params::conf_template,
$servername = $::apache::params::servername,
$pidfile = $::apache::params::pidfile,
$rewrite_lock = undef,
$manage_user = true,
$manage_group = true,
$user = $::apache::params::user,
$group = $::apache::params::group,
$keepalive = $::apache::params::keepalive,
$keepalive_timeout = $::apache::params::keepalive_timeout,
$max_keepalive_requests = $::apache::params::max_keepalive_requests,
$limitreqfieldsize = '8190',
$logroot = $::apache::params::logroot,
$logroot_mode = $::apache::params::logroot_mode,
$log_level = $::apache::params::log_level,
$log_formats = {},
$ssl_file = $::apache::params::ssl_file,
$ports_file = $::apache::params::ports_file,
$docroot = $::apache::params::docroot,
$apache_version = $::apache::version::default,
$server_tokens = 'OS',
$server_signature = 'On',
$trace_enable = 'On',
$allow_encoded_slashes = undef,
$package_ensure = 'installed',
$use_optional_includes = $::apache::params::use_optional_includes,
$use_systemd = $::apache::params::use_systemd,
$mime_types_additional = $::apache::params::mime_types_additional,
$file_mode = $::apache::params::file_mode,
$root_directory_options = $::apache::params::root_directory_options,
$root_directory_secured = false,
$error_log = $::apache::params::error_log,
$scriptalias = $::apache::params::scriptalias,
$access_log_file = $::apache::params::access_log_file,
$overwrite_ports = true,
) inherits ::apache::params {
validate_bool($default_vhost)
validate_bool($default_ssl_vhost)
validate_bool($default_confd_files)
# true/false is sufficient for both ensure and enable
validate_bool($service_enable)
validate_bool($service_manage)
validate_bool($use_optional_includes)
validate_bool($root_directory_secured)
$valid_mpms_re = $apache_version ? {
'2.4' => '(event|itk|peruser|prefork|worker)',
default => '(event|itk|prefork|worker)'
}
if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans
validate_re($mpm_module, $valid_mpms_re)
}
if $allow_encoded_slashes {
validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.")
}
# NOTE: on FreeBSD it's mpm module's responsibility to install httpd package.
# NOTE: the same strategy may be introduced for other OSes. For this, you
# should delete the 'if' block below and modify all MPM modules' manifests
# such that they include apache::package class (currently event.pp, itk.pp,
# peruser.pp, prefork.pp, worker.pp).
if $::osfamily != 'FreeBSD' {
package { 'httpd':
ensure => $package_ensure,
name => $apache_name,
notify => Class['Apache::Service'],
}
}
validate_re($sendfile, [ '^[oO]n$' , '^[oO]ff$' ])
# declare the web server user and group
# Note: requiring the package means the package ought to create them and not puppet
validate_bool($manage_user)
if $manage_user {
user { $user:
ensure => present,
gid => $group,
require => Package['httpd'],
}
}
validate_bool($manage_group)
if $manage_group {
group { $group:
ensure => present,
require => Package['httpd'],
}
}
validate_apache_log_level($log_level)
class { '::apache::service':
service_name => $service_name,
service_enable => $service_enable,
service_manage => $service_manage,
service_ensure => $service_ensure,
service_restart => $service_restart,
}
# Deprecated backwards-compatibility
if $purge_vdir {
warning('Class[\'apache\'] parameter purge_vdir is deprecated in favor of purge_configs')
$purge_confd = $purge_vdir
} else {
$purge_confd = $purge_configs
}
# Set purge vhostd appropriately
if $purge_vhost_dir == undef {
$purge_vhostd = $purge_confd
} else {
$purge_vhostd = $purge_vhost_dir
}
Exec {
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
exec { "mkdir ${confd_dir}":
creates => $confd_dir,
require => Package['httpd'],
}
file { $confd_dir:
ensure => directory,
recurse => true,
purge => $purge_confd,
force => $purge_confd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
if ! defined(File[$mod_dir]) {
exec { "mkdir ${mod_dir}":
creates => $mod_dir,
require => Package['httpd'],
}
# Don't purge available modules if an enable dir is used
$purge_mod_dir = $purge_configs and !$mod_enable_dir
file { $mod_dir:
ensure => directory,
recurse => true,
purge => $purge_mod_dir,
notify => Class['Apache::Service'],
require => Package['httpd'],
before => Anchor['::apache::modules_set_up'],
}
}
if $mod_enable_dir and ! defined(File[$mod_enable_dir]) {
$mod_load_dir = $mod_enable_dir
exec { "mkdir ${mod_enable_dir}":
creates => $mod_enable_dir,
require => Package['httpd'],
}
file { $mod_enable_dir:
ensure => directory,
recurse => true,
purge => $purge_configs,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
} else {
$mod_load_dir = $mod_dir
}
if ! defined(File[$vhost_dir]) {
exec { "mkdir ${vhost_dir}":
creates => $vhost_dir,
require => Package['httpd'],
}
file { $vhost_dir:
ensure => directory,
recurse => true,
purge => $purge_vhostd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
}
if $vhost_enable_dir and ! defined(File[$vhost_enable_dir]) {
$vhost_load_dir = $vhost_enable_dir
exec { "mkdir ${vhost_load_dir}":
creates => $vhost_load_dir,
require => Package['httpd'],
}
file { $vhost_enable_dir:
ensure => directory,
recurse => true,
purge => $purge_vhostd,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
} else {
$vhost_load_dir = $vhost_dir
}
if $overwrite_ports {
concat { $ports_file:
ensure => present,
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
notify => Class['Apache::Service'],
require => Package['httpd'],
}
concat::fragment { 'Apache ports header':
target => $ports_file,
content => template('apache/ports_header.erb'),
}
}
if $::apache::conf_dir and $::apache::params::conf_file {
if $::osfamily == 'gentoo' {
$error_documents_path = '/usr/share/apache2/error'
if is_array($default_mods) {
if versioncmp($apache_version, '2.4') >= 0 {
if defined('apache::mod::ssl') {
::portage::makeconf { 'apache2_modules':
content => concat($default_mods, [ 'authz_core', 'socache_shmcb' ]),
}
} else {
::portage::makeconf { 'apache2_modules':
content => concat($default_mods, 'authz_core'),
}
}
} else {
::portage::makeconf { 'apache2_modules':
content => $default_mods,
}
}
}
file { [
'/etc/apache2/modules.d/.keep_www-servers_apache-2',
'/etc/apache2/vhosts.d/.keep_www-servers_apache-2',
]:
ensure => absent,
require => Package['httpd'],
}
}
$apxs_workaround = $::osfamily ? {
'freebsd' => true,
default => false
}
if $rewrite_lock {
validate_absolute_path($rewrite_lock)
}
# Template uses:
# - $pidfile
# - $user
# - $group
# - $logroot
# - $error_log
# - $sendfile
# - $mod_dir
# - $ports_file
# - $confd_dir
# - $vhost_dir
# - $error_documents
# - $error_documents_path
# - $apxs_workaround
# - $keepalive
# - $keepalive_timeout
# - $max_keepalive_requests
# - $server_root
# - $server_tokens
# - $server_signature
# - $trace_enable
# - $rewrite_lock
# - $root_directory_secured
file { "${::apache::conf_dir}/${::apache::params::conf_file}":
ensure => file,
content => template($conf_template),
notify => Class['Apache::Service'],
require => [Package['httpd']],
}
# preserve back-wards compatibility to the times when default_mods was
# only a boolean value. Now it can be an array (too)
if is_array($default_mods) {
class { '::apache::default_mods':
all => false,
mods => $default_mods,
}
} else {
class { '::apache::default_mods':
all => $default_mods,
}
}
class { '::apache::default_confd_files':
all => $default_confd_files,
}
if $mpm_module and $mpm_module != 'false' { # lint:ignore:quoted_booleans
include "::apache::mod::${mpm_module}"
}
$default_vhost_ensure = $default_vhost ? {
true => 'present',
false => 'absent'
}
$default_ssl_vhost_ensure = $default_ssl_vhost ? {
true => 'present',
false => 'absent'
}
::apache::vhost { 'default':
ensure => $default_vhost_ensure,
port => '80',
docroot => $docroot,
scriptalias => $scriptalias,
serveradmin => $serveradmin,
access_log_file => $access_log_file,
priority => '15',
ip => $ip,
logroot_mode => $logroot_mode,
manage_docroot => $default_vhost,
}
$ssl_access_log_file = $::osfamily ? {
'freebsd' => $access_log_file,
default => "ssl_${access_log_file}",
}
::apache::vhost { 'default-ssl':
ensure => $default_ssl_vhost_ensure,
port => '443',
ssl => true,
docroot => $docroot,
scriptalias => $scriptalias,
serveradmin => $serveradmin,
access_log_file => $ssl_access_log_file,
priority => '15',
ip => $ip,
logroot_mode => $logroot_mode,
manage_docroot => $default_ssl_vhost,
}
}
# This anchor can be used as a reference point for things that need to happen *after*
# all modules have been put in place.
anchor { '::apache::modules_set_up': }
}

25
modules/services/unix/http/apache_wheezy/manifests/listen.pp Normal file
View File

@@ -0,0 +1,25 @@
define apache::listen ($port='') {
$listen_addr_port = $name
if defined(Concat[$::apache::ports_file]){
# Template uses: $listen_addr_port
concat::fragment { "Listen ${listen_addr_port}":
target => $::apache::ports_file,
content => template('apache/listen.erb'),
}
} elsif $port != '80' {
# Create a temporary file
# join with cat $tmp_file >> $file
# remove tmp files
$ports_file = $::apache::ports_file
$tmp_file = "$ports_file-tmp_listen"
file { $tmp_file:
ensure => file,
content => template('apache/listen.erb'),
}
exec { "apache::listen: cat $tmp_file with ports.conf":
command => "/bin/cat $tmp_file >> $ports_file;/bin/rm $tmp_file"
}
}
}

176
modules/services/unix/http/apache_wheezy/manifests/mod.pp Normal file
View File

@@ -0,0 +1,176 @@
define apache::mod (
$package = undef,
$package_ensure = 'present',
$lib = undef,
$lib_path = $::apache::lib_path,
$id = undef,
$path = undef,
$loadfile_name = undef,
$loadfiles = undef,
) {
if ! defined(Class['apache']) {
fail('You must include the apache base class before using any apache defined resources')
}
$mod = $name
#include apache #This creates duplicate resources in rspec-puppet
$mod_dir = $::apache::mod_dir
# Determine if we have special lib
$mod_libs = $::apache::params::mod_libs
if $lib {
$_lib = $lib
} elsif has_key($mod_libs, $mod) { # 2.6 compatibility hack
$_lib = $mod_libs[$mod]
} else {
$_lib = "mod_${mod}.so"
}
# Determine if declaration specified a path to the module
if $path {
$_path = $path
} else {
$_path = "${lib_path}/${_lib}"
}
if $id {
$_id = $id
} else {
$_id = "${mod}_module"
}
if $loadfile_name {
$_loadfile_name = $loadfile_name
} else {
$_loadfile_name = "${mod}.load"
}
# Determine if we have a package
$mod_packages = $::apache::params::mod_packages
if $package {
$_package = $package
} elsif has_key($mod_packages, $mod) { # 2.6 compatibility hack
if ($::apache::apache_version == '2.4' and $::operatingsystem =~ /^[Aa]mazon$/) {
# On amazon linux we need to prefix our package name with mod24 instead of mod to support apache 2.4
$_package = regsubst($mod_packages[$mod],'^(mod_)?(.*)','mod24_\2')
} else {
$_package = $mod_packages[$mod]
}
} else {
$_package = undef
}
if $_package and ! defined(Package[$_package]) {
# note: FreeBSD/ports uses apxs tool to activate modules; apxs clutters
# httpd.conf with 'LoadModule' directives; here, by proper resource
# ordering, we ensure that our version of httpd.conf is reverted after
# the module gets installed.
$package_before = $::osfamily ? {
'freebsd' => [
File[$_loadfile_name],
File["${::apache::conf_dir}/${::apache::params::conf_file}"]
],
default => [
File[$_loadfile_name],
File[$::apache::confd_dir],
],
}
# if there are any packages, they should be installed before the associated conf file
Package[$_package] -> File<| title == "${mod}.conf" |>
# $_package may be an array
package { $_package:
ensure => $package_ensure,
require => Package['httpd'],
before => $package_before,
notify => Class['apache::service'],
}
}
file { $_loadfile_name:
ensure => file,
path => "${mod_dir}/${_loadfile_name}",
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
content => template('apache/mod/load.erb'),
require => [
Package['httpd'],
Exec["mkdir ${mod_dir}"],
],
before => File[$mod_dir],
notify => Class['apache::service'],
}
if $::osfamily == 'Debian' {
$enable_dir = $::apache::mod_enable_dir
file{ "${_loadfile_name} symlink":
ensure => link,
path => "${enable_dir}/${_loadfile_name}",
target => "${mod_dir}/${_loadfile_name}",
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
require => [
File[$_loadfile_name],
Exec["mkdir ${enable_dir}"],
],
before => File[$enable_dir],
notify => Class['apache::service'],
}
# Each module may have a .conf file as well, which should be
# defined in the class apache::mod::module
# Some modules do not require this file.
if defined(File["${mod}.conf"]) {
file{ "${mod}.conf symlink":
ensure => link,
path => "${enable_dir}/${mod}.conf",
target => "${mod_dir}/${mod}.conf",
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
require => [
File["${mod}.conf"],
Exec["mkdir ${enable_dir}"],
],
before => File[$enable_dir],
notify => Class['apache::service'],
}
}
} elsif $::osfamily == 'Suse' {
$enable_dir = $::apache::mod_enable_dir
file{ "${_loadfile_name} symlink":
ensure => link,
path => "${enable_dir}/${_loadfile_name}",
target => "${mod_dir}/${_loadfile_name}",
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
require => [
File[$_loadfile_name],
Exec["mkdir ${enable_dir}"],
],
before => File[$enable_dir],
notify => Class['apache::service'],
}
# Each module may have a .conf file as well, which should be
# defined in the class apache::mod::module
# Some modules do not require this file.
if defined(File["${mod}.conf"]) {
file{ "${mod}.conf symlink":
ensure => link,
path => "${enable_dir}/${mod}.conf",
target => "${mod_dir}/${mod}.conf",
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
require => [
File["${mod}.conf"],
Exec["mkdir ${enable_dir}"],
],
before => File[$enable_dir],
notify => Class['apache::service'],
}
}
}
Apache::Mod[$name] -> Anchor['::apache::modules_set_up']
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/actions.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::actions {
apache::mod { 'actions': }
}

23
modules/services/unix/http/apache_wheezy/manifests/mod/alias.pp Normal file
View File

@@ -0,0 +1,23 @@
class apache::mod::alias(
$apache_version = undef,
$icons_options = 'Indexes MultiViews',
# set icons_path to false to disable the alias
$icons_path = $::apache::params::alias_icons_path,
) inherits ::apache::params {
include ::apache
$_apache_version = pick($apache_version, $apache::apache_version)
apache::mod { 'alias': }
# Template uses $icons_path, $_apache_version
if $icons_path {
file { 'alias.conf':
ensure => file,
path => "${::apache::mod_dir}/alias.conf",
mode => $::apache::file_mode,
content => template('apache/mod/alias.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/auth_basic.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::auth_basic {
::apache::mod { 'auth_basic': }
}

57
modules/services/unix/http/apache_wheezy/manifests/mod/auth_cas.pp Normal file
View File

@@ -0,0 +1,57 @@
class apache::mod::auth_cas (
$cas_login_url,
$cas_validate_url,
$cas_cookie_path = $::apache::params::cas_cookie_path,
$cas_cookie_path_mode = '0750',
$cas_version = 2,
$cas_debug = 'Off',
$cas_validate_server = undef,
$cas_validate_depth = undef,
$cas_certificate_path = undef,
$cas_proxy_validate_url = undef,
$cas_root_proxied_as = undef,
$cas_cookie_entropy = undef,
$cas_timeout = undef,
$cas_idle_timeout = undef,
$cas_cache_clean_interval = undef,
$cas_cookie_domain = undef,
$cas_cookie_http_only = undef,
$cas_authoritative = undef,
$cas_validate_saml = undef,
$cas_sso_enabled = undef,
$cas_attribute_prefix = undef,
$cas_attribute_delimiter = undef,
$cas_scrub_request_headers = undef,
$suppress_warning = false,
) inherits ::apache::params {
validate_string($cas_login_url, $cas_validate_url, $cas_cookie_path)
if $::osfamily == 'RedHat' and ! $suppress_warning {
warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.')
}
include ::apache
::apache::mod { 'auth_cas': }
file { $cas_cookie_path:
ensure => directory,
before => File['auth_cas.conf'],
mode => $cas_cookie_path_mode,
owner => $apache::user,
group => $apache::group,
}
# Template uses
# - All variables beginning with cas_
file { 'auth_cas.conf':
ensure => file,
path => "${::apache::mod_dir}/auth_cas.conf",
mode => $::apache::file_mode,
content => template('apache/mod/auth_cas.conf.erb'),
require => [ Exec["mkdir ${::apache::mod_dir}"], ],
before => File[$::apache::mod_dir],
notify => Class['Apache::Service'],
}
}

7
modules/services/unix/http/apache_wheezy/manifests/mod/auth_kerb.pp Normal file
View File

@@ -0,0 +1,7 @@
class apache::mod::auth_kerb {
include ::apache
include ::apache::mod::authn_core
::apache::mod { 'auth_kerb': }
}

26
modules/services/unix/http/apache_wheezy/manifests/mod/auth_mellon.pp Normal file
View File

@@ -0,0 +1,26 @@
class apache::mod::auth_mellon (
$mellon_cache_size = $::apache::params::mellon_cache_size,
$mellon_lock_file = $::apache::params::mellon_lock_file,
$mellon_post_directory = $::apache::params::mellon_post_directory,
$mellon_cache_entry_size = undef,
$mellon_post_ttl = undef,
$mellon_post_size = undef,
$mellon_post_count = undef
) inherits ::apache::params {
include ::apache
::apache::mod { 'auth_mellon': }
# Template uses
# - All variables beginning with mellon_
file { 'auth_mellon.conf':
ensure => file,
path => "${::apache::mod_dir}/auth_mellon.conf",
mode => $::apache::file_mode,
content => template('apache/mod/auth_mellon.conf.erb'),
require => [ Exec["mkdir ${::apache::mod_dir}"], ],
before => File[$::apache::mod_dir],
notify => Class['Apache::Service'],
}
}

7
modules/services/unix/http/apache_wheezy/manifests/mod/authn_core.pp Normal file
View File

@@ -0,0 +1,7 @@
class apache::mod::authn_core(
$apache_version = $::apache::apache_version
) {
if versioncmp($apache_version, '2.4') >= 0 {
::apache::mod { 'authn_core': }
}
}

30
modules/services/unix/http/apache_wheezy/manifests/mod/authn_dbd.pp Normal file
View File

@@ -0,0 +1,30 @@
class apache::mod::authn_dbd (
$authn_dbd_params,
$authn_dbd_dbdriver = 'mysql',
$authn_dbd_query = undef,
$authn_dbd_min = '4',
$authn_dbd_max = '20',
$authn_dbd_keep = '8',
$authn_dbd_exptime = '300',
$authn_dbd_alias = undef,
) inherits ::apache::params {
include ::apache
include ::apache::mod::dbd
::apache::mod { 'authn_dbd': }
if $authn_dbd_alias {
include ::apache::mod::authn_core
}
# Template uses
# - All variables beginning with authn_dbd
file { 'authn_dbd.conf':
ensure => file,
path => "${::apache::mod_dir}/authn_dbd.conf",
mode => $::apache::file_mode,
content => template('apache/mod/authn_dbd.conf.erb'),
require => [ Exec["mkdir ${::apache::mod_dir}"], ],
before => File[$::apache::mod_dir],
notify => Class['Apache::Service'],
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/authn_file.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::authn_file {
::apache::mod { 'authn_file': }
}

34
modules/services/unix/http/apache_wheezy/manifests/mod/authnz_ldap.pp Normal file
View File

@@ -0,0 +1,34 @@
# lint:ignore:variable_is_lowercase required for compatibility
class apache::mod::authnz_ldap (
$verify_server_cert = true,
$verifyServerCert = undef,
$package_name = undef,
) {
include ::apache
include '::apache::mod::ldap'
::apache::mod { 'authnz_ldap':
package => $package_name,
}
if $verifyServerCert {
warning('Class[\'apache::mod::authnz_ldap\'] parameter verifyServerCert is deprecated in favor of verify_server_cert')
$_verify_server_cert = $verifyServerCert
} else {
$_verify_server_cert = $verify_server_cert
}
validate_bool($_verify_server_cert)
# Template uses:
# - $_verify_server_cert
file { 'authnz_ldap.conf':
ensure => file,
path => "${::apache::mod_dir}/authnz_ldap.conf",
mode => $::apache::file_mode,
content => template('apache/mod/authnz_ldap.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}
# lint:endignore

9
modules/services/unix/http/apache_wheezy/manifests/mod/authz_default.pp Normal file
View File

@@ -0,0 +1,9 @@
class apache::mod::authz_default(
$apache_version = $::apache::apache_version
) {
if versioncmp($apache_version, '2.4') >= 0 {
warning('apache::mod::authz_default has been removed in Apache 2.4')
} else {
::apache::mod { 'authz_default': }
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/authz_user.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::authz_user {
::apache::mod { 'authz_user': }
}

14
modules/services/unix/http/apache_wheezy/manifests/mod/autoindex.pp Normal file
View File

@@ -0,0 +1,14 @@
class apache::mod::autoindex {
include ::apache
::apache::mod { 'autoindex': }
# Template uses no variables
file { 'autoindex.conf':
ensure => file,
path => "${::apache::mod_dir}/autoindex.conf",
mode => $::apache::file_mode,
content => template('apache/mod/autoindex.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/cache.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::cache {
::apache::mod { 'cache': }
}

17
modules/services/unix/http/apache_wheezy/manifests/mod/cgi.pp Normal file
View File

@@ -0,0 +1,17 @@
class apache::mod::cgi {
case $::osfamily {
'FreeBSD': {}
default: {
Class['::apache::mod::prefork'] -> Class['::apache::mod::cgi']
}
}
if $::osfamily == 'Suse' {
::apache::mod { 'cgi':
lib_path => '/usr/lib64/apache2-prefork',
}
} else {
::apache::mod { 'cgi': }
}
}

42
modules/services/unix/http/apache_wheezy/manifests/mod/cgid.pp Normal file
View File

@@ -0,0 +1,42 @@
class apache::mod::cgid {
include ::apache
case $::osfamily {
'FreeBSD': {}
default: {
if defined(Class['::apache::mod::event']) {
Class['::apache::mod::event'] -> Class['::apache::mod::cgid']
} else {
Class['::apache::mod::worker'] -> Class['::apache::mod::cgid']
}
}
}
# Debian specifies it's cgid sock path, but RedHat uses the default value
# with no config file
$cgisock_path = $::osfamily ? {
'debian' => "\${APACHE_RUN_DIR}/cgisock",
'freebsd' => 'cgisock',
default => undef,
}
if $::osfamily == 'Suse' {
::apache::mod { 'cgid':
lib_path => '/usr/lib64/apache2-worker',
}
} else {
::apache::mod { 'cgid': }
}
if $cgisock_path {
# Template uses $cgisock_path
file { 'cgid.conf':
ensure => file,
path => "${::apache::mod_dir}/cgid.conf",
mode => $::apache::file_mode,
content => template('apache/mod/cgid.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}
}

38
modules/services/unix/http/apache_wheezy/manifests/mod/cluster.pp Normal file
View File

@@ -0,0 +1,38 @@
class apache::mod::cluster (
$allowed_network,
$balancer_name,
$ip,
$version,
$enable_mcpm_receive = true,
$port = '6666',
$keep_alive_timeout = 60,
$manager_allowed_network = '127.0.0.1',
$max_keep_alive_requests = 0,
$server_advertise = true,
) {
include ::apache
::apache::mod { 'proxy': }
::apache::mod { 'proxy_ajp': }
::apache::mod { 'manager': }
::apache::mod { 'proxy_cluster': }
::apache::mod { 'advertise': }
if (versioncmp($version, '1.3.0') >= 0 ) {
::apache::mod { 'cluster_slotmem': }
} else {
::apache::mod { 'slotmem': }
}
file {'cluster.conf':
ensure => file,
path => "${::apache::mod_dir}/cluster.conf",
mode => $::apache::file_mode,
content => template('apache/mod/cluster.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/dav.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::dav {
::apache::mod { 'dav': }
}

22
modules/services/unix/http/apache_wheezy/manifests/mod/dav_fs.pp Normal file
View File

@@ -0,0 +1,22 @@
class apache::mod::dav_fs {
include ::apache
$dav_lock = $::osfamily ? {
'debian' => "\${APACHE_LOCK_DIR}/DAVLock",
'freebsd' => '/usr/local/var/DavLock',
default => '/var/lib/dav/lockdb',
}
Class['::apache::mod::dav'] -> Class['::apache::mod::dav_fs']
::apache::mod { 'dav_fs': }
# Template uses: $dav_lock
file { 'dav_fs.conf':
ensure => file,
path => "${::apache::mod_dir}/dav_fs.conf",
mode => $::apache::file_mode,
content => template('apache/mod/dav_fs.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

28
modules/services/unix/http/apache_wheezy/manifests/mod/dav_svn.pp Normal file
View File

@@ -0,0 +1,28 @@
class apache::mod::dav_svn (
$authz_svn_enabled = false,
) {
Class['::apache::mod::dav'] -> Class['::apache::mod::dav_svn']
include ::apache
include ::apache::mod::dav
if($::operatingsystem == 'SLES' and $::operatingsystemmajrelease < '12'){
package { 'subversion-server':
ensure => 'installed',
provider => 'zypper',
}
}
::apache::mod { 'dav_svn': }
if $::osfamily == 'Debian' and ($::operatingsystemmajrelease != '6' and $::operatingsystemmajrelease != '10.04' and $::operatingsystemrelease != '10.04' and $::operatingsystemmajrelease != '16.04') {
$loadfile_name = undef
} else {
$loadfile_name = 'dav_svn_authz_svn.load'
}
if $authz_svn_enabled {
::apache::mod { 'authz_svn':
loadfile_name => $loadfile_name,
require => Apache::Mod['dav_svn'],
}
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/dbd.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::dbd {
::apache::mod { 'dbd': }
}

27
modules/services/unix/http/apache_wheezy/manifests/mod/deflate.pp Normal file
View File

@@ -0,0 +1,27 @@
class apache::mod::deflate (
$types = [
'text/html text/plain text/xml',
'text/css',
'application/x-javascript application/javascript application/ecmascript',
'application/rss+xml',
'application/json',
],
$notes = {
'Input' => 'instream',
'Output' => 'outstream',
'Ratio' => 'ratio',
}
) {
include ::apache
::apache::mod { 'deflate': }
file { 'deflate.conf':
ensure => file,
path => "${::apache::mod_dir}/deflate.conf",
mode => $::apache::file_mode,
content => template('apache/mod/deflate.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

5
modules/services/unix/http/apache_wheezy/manifests/mod/dev.pp Normal file
View File

@@ -0,0 +1,5 @@
class apache::mod::dev {
# Development packages are not apache modules
warning('apache::mod::dev is deprecated; please use apache::dev')
include ::apache::dev
}

23
modules/services/unix/http/apache_wheezy/manifests/mod/dir.pp Normal file
View File

@@ -0,0 +1,23 @@
# Note: this sets the global DirectoryIndex directive, it may be necessary to consider being able to modify the apache::vhost to declare DirectoryIndex statements in a vhost configuration
# Parameters:
# - $indexes provides a string for the DirectoryIndex directive http://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex
class apache::mod::dir (
$dir = 'public_html',
$indexes = ['index.html','index.html.var','index.cgi','index.pl','index.php','index.xhtml'],
) {
validate_array($indexes)
include ::apache
::apache::mod { 'dir': }
# Template uses
# - $indexes
file { 'dir.conf':
ensure => file,
path => "${::apache::mod_dir}/dir.conf",
mode => $::apache::file_mode,
content => template('apache/mod/dir.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

42
modules/services/unix/http/apache_wheezy/manifests/mod/disk_cache.pp Normal file
View File

@@ -0,0 +1,42 @@
class apache::mod::disk_cache (
$cache_root = undef,
) {
include ::apache
if $cache_root {
$_cache_root = $cache_root
}
elsif versioncmp($::apache::apache_version, '2.4') >= 0 {
$_cache_root = $::osfamily ? {
'debian' => '/var/cache/apache2/mod_cache_disk',
'redhat' => '/var/cache/httpd/proxy',
'freebsd' => '/var/cache/mod_cache_disk',
}
}
else {
$_cache_root = $::osfamily ? {
'debian' => '/var/cache/apache2/mod_disk_cache',
'redhat' => '/var/cache/mod_proxy',
'freebsd' => '/var/cache/mod_disk_cache',
}
}
if versioncmp($::apache::apache_version, '2.4') >= 0 {
apache::mod { 'cache_disk': }
}
else {
apache::mod { 'disk_cache': }
}
Class['::apache::mod::cache'] -> Class['::apache::mod::disk_cache']
# Template uses $_cache_root
file { 'disk_cache.conf':
ensure => file,
path => "${::apache::mod_dir}/disk_cache.conf",
mode => $::apache::file_mode,
content => template('apache/mod/disk_cache.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

20
modules/services/unix/http/apache_wheezy/manifests/mod/dumpio.pp Normal file
View File

@@ -0,0 +1,20 @@
class apache::mod::dumpio(
$dump_io_input = 'Off',
$dump_io_output = 'Off',
) {
include ::apache
validate_re(downcase($dump_io_input), '^(on|off)$', "${dump_io_input} is not supported for dump_io_input. Allowed values are 'On' and 'Off'.")
validate_re(downcase($dump_io_output), '^(on|off)$', "${dump_io_output} is not supported for dump_io_output. Allowed values are 'On' and 'Off'.")
::apache::mod { 'dumpio': }
file{'dumpio.conf':
ensure => file,
path => "${::apache::mod_dir}/dumpio.conf",
mode => $::apache::file_mode,
content => template('apache/mod/dumpio.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

3
modules/services/unix/http/apache_wheezy/manifests/mod/env.pp Normal file
View File

@@ -0,0 +1,3 @@
class apache::mod::env {
::apache::mod { 'env': }
}

76
modules/services/unix/http/apache_wheezy/manifests/mod/event.pp Normal file
View File

@@ -0,0 +1,76 @@
class apache::mod::event (
$startservers = '2',
$maxclients = '150',
$maxrequestworkers = undef,
$minsparethreads = '25',
$maxsparethreads = '75',
$threadsperchild = '25',
$maxrequestsperchild = '0',
$maxconnectionsperchild = undef,
$serverlimit = '25',
$apache_version = undef,
$threadlimit = '64',
$listenbacklog = '511',
) {
include ::apache
$_apache_version = pick($apache_version, $apache::apache_version)
if defined(Class['apache::mod::itk']) {
fail('May not include both apache::mod::event and apache::mod::itk on the same node')
}
if defined(Class['apache::mod::peruser']) {
fail('May not include both apache::mod::event and apache::mod::peruser on the same node')
}
if defined(Class['apache::mod::prefork']) {
fail('May not include both apache::mod::event and apache::mod::prefork on the same node')
}
if defined(Class['apache::mod::worker']) {
fail('May not include both apache::mod::event and apache::mod::worker on the same node')
}
File {
owner => 'root',
group => $::apache::params::root_group,
mode => $::apache::file_mode,
}
# Template uses:
# - $startservers
# - $maxclients
# - $minsparethreads
# - $maxsparethreads
# - $threadsperchild
# - $maxrequestsperchild
# - $serverlimit
file { "${::apache::mod_dir}/event.conf":
ensure => file,
mode => $::apache::file_mode,
content => template('apache/mod/event.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
case $::osfamily {
'redhat': {
if versioncmp($_apache_version, '2.4') >= 0 {
apache::mpm{ 'event':
apache_version => $_apache_version,
}
}
}
'debian','freebsd' : {
apache::mpm{ 'event':
apache_version => $_apache_version,
}
}
'gentoo': {
::portage::makeconf { 'apache2_mpms':
content => 'event',
}
}
default: {
fail("Unsupported osfamily ${::osfamily}")
}
}
}

22
modules/services/unix/http/apache_wheezy/manifests/mod/expires.pp Normal file
View File

@@ -0,0 +1,22 @@
class apache::mod::expires (
$expires_active = true,
$expires_default = undef,
$expires_by_type = undef,
) {
include ::apache
::apache::mod { 'expires': }
# Template uses
# $expires_active
# $expires_default
# $expires_by_type
file { 'expires.conf':
ensure => file,
path => "${::apache::mod_dir}/expires.conf",
mode => $::apache::file_mode,
content => template('apache/mod/expires.conf.erb'),
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
}

25
modules/services/unix/http/apache_wheezy/manifests/mod/ext_filter.pp Normal file
View File

@@ -0,0 +1,25 @@
class apache::mod::ext_filter(
$ext_filter_define = undef
) {
include ::apache
if $ext_filter_define {
validate_hash($ext_filter_define)
}
::apache::mod { 'ext_filter': }
# Template uses
# -$ext_filter_define
if $ext_filter_define {
file { 'ext_filter.conf':
ensure => file,
path => "${::apache::mod_dir}/ext_filter.conf",
mode => $::apache::file_mode,
content => template('apache/mod/ext_filter.conf.erb'),
require => [ Exec["mkdir ${::apache::mod_dir}"], ],
before => File[$::apache::mod_dir],
notify => Class['Apache::Service'],
}
}
}

Some files were not shown because too many files have changed in this diff Show More