From 011cd8ab90cf9becd98720f11fe7952e3b0b5c11 Mon Sep 17 00:00:00 2001
From: Alexander Ursu <alexander.ursu@gmail.com>
Date: Tue, 4 Feb 2020 12:45:54 +0100
Subject: [PATCH 1/2] Add new directives on virtual host level

   Added deirectives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize
   and LimitRequestLine
---
 manifests/vhost.pp               | 34 ++++++++++++++++++++++++++++++++
 spec/defines/vhost_spec.rb       | 24 ++++++++++++++++++++++
 templates/vhost/_file_header.erb | 12 +++++++++++
 3 files changed, 70 insertions(+)

diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index f2e8ebd787..ffad93f275 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -1632,6 +1632,36 @@
 # @param oidc_settings
 #   An Apache::OIDCSettings Struct containing (mod_auth_openidc settings)[https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf].
 #
+# @param limitreqfields
+#   The `limitreqfields` parameter sets the maximum number of request header fields in
+#   an HTTP request. This directive gives the server administrator greater control over
+#   abnormal client request behavior, which may be useful for avoiding some forms of
+#   denial-of-service attacks. The value should be increased if normal clients see an error
+#   response from the server that indicates too many fields were sent in the request.
+#
+# @param limitreqfieldsize
+#   The `limitreqfieldsize` parameter sets the maximum ammount of _bytes_ that will
+#   be allowed within a request header.
+#
+# @param limitreqline
+#   Limit the size of the HTTP request line that will be accepted from the client
+#   This directive sets the number of bytes that will be allowed on the HTTP
+#   request-line. The LimitRequestLine directive allows the server administrator
+#   to set the limit on the allowed size of a client's HTTP request-line. Since
+#   the request-line consists of the HTTP method, URI, and protocol version, the
+#   LimitRequestLine directive places a restriction on the length of a request-URI
+#   allowed for a request on the server. A server needs this value to be large
+#   enough to hold any of its resource names, including any information that might
+#   be passed in the query part of a GET request.
+#
+# @param limitreqbody
+#   Restricts the total size of the HTTP request body sent from the client
+#   The LimitRequestBody directive allows the user to set a limit on the allowed
+#   size of an HTTP request message body within the context in which the
+#   directive is given (server, per-directory, per-file or per-location). If the
+#   client request exceeds that limit, the server will return an error response
+#   instead of servicing the request.
+#
 define apache::vhost(
   Variant[Boolean,String] $docroot,
   $manage_docroot                                                                   = true,
@@ -1710,6 +1740,10 @@
   Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]] $fallbackresource       = undef,
   $scriptalias                                                                      = undef,
   $scriptaliases                                                                    = [],
+  Optional[Integer] $limitreqfieldsize                                              = undef,
+  Optional[Integer] $limitreqfields                                                 = undef,
+  Optional[Integer] $limitreqline                                                   = undef,
+  Optional[Integer] $limitreqbody                                                   = undef,
   $proxy_dest                                                                       = undef,
   $proxy_dest_match                                                                 = undef,
   $proxy_dest_reverse_match                                                         = undef,
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index f40cfcccf5..7effb2b4b5 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -259,6 +259,10 @@
                   'path'       => '/usr/share/fooscripts$1',
                 },
               ],
+              'limitreqfieldsize'           => 8190,
+              'limitreqfields'              => 100,
+              'limitreqline'                => 8190,
+              'limitreqbody'                => 0,
               'proxy_dest'                  => '/',
               'proxy_pass'                  => [
                 {
@@ -518,6 +522,26 @@
             }
           end
           it { is_expected.to contain_concat__fragment('rspec.example.com-apache-header') }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
+              content: %r{^\s+LimitRequestFieldSize 8190$},
+            ) 
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
+              content: %r{^\s+LimitRequestFields 100$},
+            ) 
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
+              content: %r{^\s+LimitRequestLine 8190$},
+            ) 
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
+              content: %r{^\s+LimitRequestBody 0$},
+            ) 
+          }
           it { is_expected.to contain_concat__fragment('rspec.example.com-docroot') }
           it { is_expected.to contain_concat__fragment('rspec.example.com-aliases') }
           it { is_expected.to contain_concat__fragment('rspec.example.com-itk') }
diff --git a/templates/vhost/_file_header.erb b/templates/vhost/_file_header.erb
index 65d9b5cfd6..ac119ae01e 100644
--- a/templates/vhost/_file_header.erb
+++ b/templates/vhost/_file_header.erb
@@ -23,3 +23,15 @@
   ProtocolsHonorOrder <%= scope.call_function('apache::bool2httpd', [@protocols_honor_order]) %>
   <%- end -%>
 <% end -%>
+<% if @limitreqfieldsize -%>
+  LimitRequestFieldSize <%= @limitreqfieldsize %>
+<% end -%>
+<% if @limitreqfields -%>
+  LimitRequestFields <%= @limitreqfields %>
+<% end -%>
+<% if @limitreqline -%>
+  LimitRequestLine <%= @limitreqline %>
+<% end -%>
+<% if @limitreqbody -%>
+  LimitRequestBody <%= @limitreqbody %>
+<% end -%>
\ No newline at end of file

From e37da46f853ed321e5c7dd4297e2f1db6800ec3d Mon Sep 17 00:00:00 2001
From: Alexander Ursu <alexander.ursu@gmail.com>
Date: Tue, 4 Feb 2020 12:56:29 +0100
Subject: [PATCH 2/2] Corrected PDK issues (rubocop errors)

---
 spec/defines/vhost_spec.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index 7effb2b4b5..f1a16ba3f3 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -525,22 +525,22 @@
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
               content: %r{^\s+LimitRequestFieldSize 8190$},
-            ) 
+            )
           }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
               content: %r{^\s+LimitRequestFields 100$},
-            ) 
+            )
           }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
               content: %r{^\s+LimitRequestLine 8190$},
-            ) 
+            )
           }
           it {
             is_expected.to contain_concat__fragment('rspec.example.com-apache-header').with(
               content: %r{^\s+LimitRequestBody 0$},
-            ) 
+            )
           }
           it { is_expected.to contain_concat__fragment('rspec.example.com-docroot') }
           it { is_expected.to contain_concat__fragment('rspec.example.com-aliases') }