From 61d7f0d4736ab0be5d2023b2938e77a0855c1de1 Mon Sep 17 00:00:00 2001
From: Lennart Betz <lennart.betz@netways.de>
Date: Mon, 30 May 2022 18:19:48 +0200
Subject: [PATCH] Fix #58 unsupported apache feature CGIPassAuth for older
 version like on RHEL7

---
 data/Debian/Debian/8.yaml            |  1 +
 data/Debian/Ubuntu/16.04.yaml        |  1 +
 data/Linux-kernel.yaml               |  2 ++
 data/RedHat/CentOS/6.yaml            |  2 ++
 data/RedHat/CentOS/7.yaml            |  1 +
 data/RedHat/RedHat/6.yaml            |  1 +
 data/RedHat/RedHat/7.yaml            |  1 +
 data/RedHat/Scientific/6.yaml        |  1 +
 data/RedHat/Scientific/7.yaml        |  1 +
 manifests/web.pp                     | 40 +++++++++++++----------
 templates/apache_custom_default.conf | 49 ++++++++++++++++++++++++++++
 11 files changed, 83 insertions(+), 17 deletions(-)
 create mode 100644 templates/apache_custom_default.conf

diff --git a/data/Debian/Debian/8.yaml b/data/Debian/Debian/8.yaml
index ffbf353..d3c8d20 100644
--- a/data/Debian/Debian/8.yaml
+++ b/data/Debian/Debian/8.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::configure_backports: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/Debian/Ubuntu/16.04.yaml b/data/Debian/Ubuntu/16.04.yaml
index ffbf353..d3c8d20 100644
--- a/data/Debian/Ubuntu/16.04.yaml
+++ b/data/Debian/Ubuntu/16.04.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::configure_backports: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml
index 72a4cec..169179e 100644
--- a/data/Linux-kernel.yaml
+++ b/data/Linux-kernel.yaml
@@ -17,3 +17,5 @@ icinga::redis::globals::run_dir: /var/run/icinga-redis
 icinga::redis::globals::work_dir: /var/lib/icinga-redis
 icinga::redis::globals::user: icinga-redis
 icinga::redis::globals::group: icinga-redis
+
+icinga::web::apache_cgi_pass_auth: true
diff --git a/data/RedHat/CentOS/6.yaml b/data/RedHat/CentOS/6.yaml
index f5e4f89..cffbaa1 100644
--- a/data/RedHat/CentOS/6.yaml
+++ b/data/RedHat/CentOS/6.yaml
@@ -1,2 +1,4 @@
 ---
 icinga::repos::manage_epel: true
+icinga::web::apache_cgi_pass: false
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/RedHat/CentOS/7.yaml b/data/RedHat/CentOS/7.yaml
index f5e4f89..41df7a0 100644
--- a/data/RedHat/CentOS/7.yaml
+++ b/data/RedHat/CentOS/7.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::manage_epel: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/RedHat/RedHat/6.yaml b/data/RedHat/RedHat/6.yaml
index f5e4f89..41df7a0 100644
--- a/data/RedHat/RedHat/6.yaml
+++ b/data/RedHat/RedHat/6.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::manage_epel: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/RedHat/RedHat/7.yaml b/data/RedHat/RedHat/7.yaml
index f5e4f89..41df7a0 100644
--- a/data/RedHat/RedHat/7.yaml
+++ b/data/RedHat/RedHat/7.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::manage_epel: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/RedHat/Scientific/6.yaml b/data/RedHat/Scientific/6.yaml
index f5e4f89..41df7a0 100644
--- a/data/RedHat/Scientific/6.yaml
+++ b/data/RedHat/Scientific/6.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::manage_epel: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/data/RedHat/Scientific/7.yaml b/data/RedHat/Scientific/7.yaml
index f5e4f89..41df7a0 100644
--- a/data/RedHat/Scientific/7.yaml
+++ b/data/RedHat/Scientific/7.yaml
@@ -1,2 +1,3 @@
 ---
 icinga::repos::manage_epel: true
+icinga::web::apache_cgi_pass_auth: false
diff --git a/manifests/web.pp b/manifests/web.pp
index 1a5c5af..4d81e9b 100644
--- a/manifests/web.pp
+++ b/manifests/web.pp
@@ -1,57 +1,62 @@
 # @summary
 #   Setup Icinga Web 2 including a database backend for user settings.
 #
-# @param [String] db_pass
+# @param db_pass
 #   Password to connect the database.
 #
-# @param [String] api_pass
+# @param api_pass
 #   Password to connect the Icinga 2 API.
 #
-# @param [String] backend_db_pass
+# @param apache_cgi_pass_auth
+#   Either turn on or off the apache cgi pass thru auth.
+#   An option available since Apache v2.4.15 and required for authenticated access to the Icinga Web Api.
+#
+# @param backend_db_pass
 #   Pasword to connect the IDO backend.
 #
-# @param [Enum['mysql', 'pgsql']] db_type
+# @param db_type
 #   What kind of database type to use.
 #
-# @param [Stdlib::Host] db_host
+# @param db_host
 #   Database host to connect.
 #
-# @param [Optional[Stdlib::Port::Unprivileged]] db_port
+# @param db_port
 #   Port to connect. Only affects for connection to remote database hosts.
 #
-# @param [String] db_name
+# @param db_name
 #   Name of the database.
 #
-# @param [String] db_user
+# @param db_user
 #   Database user name.
 #
-# @param [Boolean] manage_database
+# @param manage_database
 #   Create database.
 #
-# @param [Variant[Stdlib::Host, Array[Stdlib::Host]]] api_host
+# @param api_host
 #   Single or list of Icinga 2 API endpoints to connect.
 #
-# @param [String] api_user
+# @param api_user
 #   Icinga 2 API user.
 #
-# @param [Enum['mysql', 'pgsql']] backend_db_type
+# @param backend_db_type
 #   What kind of database type to use as IDO backend.
 #
-# @param [Stdlib::Host] backend_db_host
+# @param backend_db_host
 #   Database host to connect for the IDO backenend.
 #
-# @param [Optional[Stdlib::Port::Unprivileged]] backend_db_port
+# @param backend_db_port
 #   Port to connect the IDO backend. Only affects for connection to remote database hosts.
 #
-# @param [String] backend_db_name
+# @param backend_db_name
 #   Name of the IDO database backend.
 #
-# @param [String] backend_db_user
+# @param backend_db_user
 #   IDO database backend user name.
 #
 class icinga::web(
   String                                      $db_pass,
   String                                      $api_pass,
+  Boolean                                     $apache_cgi_pass_auth,
   String                                      $backend_db_pass,
   Enum['mysql', 'pgsql']                      $db_type          = 'mysql',
   Stdlib::Host                                $db_host          = 'localhost',
@@ -108,6 +113,7 @@
           $php_globals = {}
         }
       }
+
       $php_extensions = {
         mbstring => { ini_prefix => '20-' },
         json     => { ini_prefix => '20-' },
@@ -197,7 +203,7 @@
 
   apache::custom_config { 'icingaweb2':
     ensure        => present,
-    source        => 'puppet:///modules/icingaweb2/examples/apache2/for-mod_proxy_fcgi.conf',
+    content       => template('icinga/apache_custom_default.conf'),
     verify_config => false,
     priority      => false,
   }
diff --git a/templates/apache_custom_default.conf b/templates/apache_custom_default.conf
new file mode 100644
index 0000000..58d00c7
--- /dev/null
+++ b/templates/apache_custom_default.conf
@@ -0,0 +1,49 @@
+Alias /icingaweb2 "/usr/share/icingaweb2/public"
+
+<Directory "/usr/share/icingaweb2/public">
+    Options SymLinksIfOwnerMatch
+    AllowOverride None
+
+    DirectoryIndex index.php
+
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        <RequireAll>
+            Require all granted
+        </RequireAll>
+    </IfModule>
+
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order allow,deny
+        Allow from all
+    </IfModule>
+
+    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"
+
+    EnableSendfile Off
+
+    <IfModule mod_rewrite.c>
+        RewriteEngine on
+        RewriteBase /icingaweb2/
+        RewriteCond %{REQUEST_FILENAME} -s [OR]
+        RewriteCond %{REQUEST_FILENAME} -l [OR]
+        RewriteCond %{REQUEST_FILENAME} -d
+        RewriteRule ^.*$ - [NC,L]
+        RewriteRule ^.*$ index.php [NC,L]
+    </IfModule>
+
+    <IfModule !mod_rewrite.c>
+        DirectoryIndex error_norewrite.html
+        ErrorDocument 404 /icingaweb2/error_norewrite.html
+    </IfModule>
+
+    # forwarding PHP requests to FPM
+    # remove comments if you want to use FPM
+    <FilesMatch "\.php$">
+<% if @apache_cgi_pass_auth -%>        CGIPassAuth on
+<% end -%>
+        SetHandler "proxy:fcgi://127.0.0.1:9000"
+        ErrorDocument 503 /icingaweb2/error_unavailable.html
+    </FilesMatch>
+</Directory>