diff --git a/Puppetfile b/Puppetfile index 1fa3787a9..ab8844c2f 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,5 +1,5 @@ mod 'apache', - :commit => '84219d81079b901a1400660757e399c365dacbda', + :commit => '44b0f0f851119c6504628b287f1776f303f22f99', :git => 'https://github.com/puppetlabs/puppetlabs-apache.git' mod 'aviator', diff --git a/apache/CHANGELOG.md b/apache/CHANGELOG.md index 6e0b1ee87..7a722a8a9 100644 --- a/apache/CHANGELOG.md +++ b/apache/CHANGELOG.md @@ -1,10 +1,9 @@ -##2015-06-16 - Supported Release 1.5.0 +##2015-06-11 - Supported Release 1.5.0 ### Summary This release primarily adds Suse compatibility. It also adds a handful of other parameters for greater configuration control. ### Features -- Now compatible with concat 1.x and 2.x - Add `apache::lib_path` parameter - Add `apache::service_restart` parameter - Add `apache::vhost::geoip_enable` parameter @@ -29,6 +28,7 @@ parameters for greater configuration control. - Fix alias module being declared even when vhost is absent - Fix proxy\_pass\_match handling in vhost's proxy template - Fix userdir access permissions +- Fix issue where the module was trying to use systemd on Amazon Linux. ##2015-04-28 - Supported Release 1.4.1 diff --git a/apache/Gemfile b/apache/Gemfile index 2b1b7cd8d..bfe64b186 100644 --- a/apache/Gemfile +++ b/apache/Gemfile @@ -28,6 +28,7 @@ group :system_tests do gem 'beaker-rspec', :require => false end gem 'serverspec', :require => false + gem 'beaker-puppet_install_helper', :require => false end diff --git a/apache/README.md b/apache/README.md index 087bbc869..68a91e94c 100644 --- a/apache/README.md +++ b/apache/README.md @@ -666,14 +666,44 @@ These are the default settings: ```puppet class {'apache::mod::geoip': - $enable => false, - $db_file => '/usr/share/GeoIP/GeoIP.dat', - $flag => 'Standard', - $output => 'All', + enable => false, + db_file => '/usr/share/GeoIP/GeoIP.dat', + flag => 'Standard', + output => 'All', } ``` -The parameter `db_file` can be a single directory or a hash of directories. +#####`enable` + +Boolean. Enable or Disable mod_geoip globally. Defaults to false. + +#####`db_file` + +The full path to your GeoIP database file. Defaults to `/usr/share/GeoIP/GeoIP.dat`. This parameter optionally takes an array of paths for multiple GeoIP database files. + +#####`flag` + +GeoIP Flag. Defaults to 'Standard'. + +#####`output` + +Defines which output variables to use. Defaults to 'All'. + +#####`enable_utf8` + +Boolean. Changes the output from ISO-8859-1 (Latin-1) to UTF-8. + +#####`scan_proxy_headers` + +Boolean. Enables the GeoIPScanProxyHeaders option. More information can be found [here](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives). + +#####`scan_proxy_header_field` + +Specifies which header that mod_geoip should look at to determine the client's IP address. + +#####`use_last_xforwarededfor_ip` + +Boolean. If a comma-separated list of IP addresses is found, use the last IP address for the client's IP. ####Class: `apache::mod::info` @@ -823,6 +853,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t ssl_compression => false, ssl_cryptodevice => 'builtin', ssl_options => [ 'StdEnvVars' ], + ssl_openssl_conf_cmd => undef, ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5', ssl_honorcipherorder => 'On', ssl_protocol => [ 'all', '-SSLv2', '-SSLv3' ], @@ -2251,6 +2282,10 @@ An array: } ``` +#####`ssl_openssl_conf_cmd` + +Sets the [SSLOpenSSLConfCmd](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters. Defaults to 'undef'. + #####`ssl_proxyengine` Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid values are 'true' and 'false'. Defaults to 'false'. diff --git a/apache/manifests/default_mods.pp b/apache/manifests/default_mods.pp index 0d8969ca6..9e3c2c69a 100644 --- a/apache/manifests/default_mods.pp +++ b/apache/manifests/default_mods.pp @@ -12,7 +12,7 @@ if versioncmp($apache_version, '2.4') >= 0 { # Lets fork it # Do not try to load mod_systemd on RHEL/CentOS 6 SCL. - if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon' and versioncmp($::operatingsystemrelease, '2014.09') <= 0 ) ) { + if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon') ) { ::apache::mod { 'systemd': } } ::apache::mod { 'unixd': } diff --git a/apache/manifests/mod/geoip.pp b/apache/manifests/mod/geoip.pp index 4e87cb96a..1f8fb08ee 100644 --- a/apache/manifests/mod/geoip.pp +++ b/apache/manifests/mod/geoip.pp @@ -5,6 +5,7 @@ $output = 'All', $enable_utf8 = undef, $scan_proxy_headers = undef, + $scan_proxy_header_field = undef, $use_last_xforwarededfor_ip = undef, ) { ::apache::mod { 'geoip': } @@ -16,6 +17,7 @@ # - output # - enable_utf8 # - scan_proxy_headers + # - scan_proxy_header_field # - use_last_xforwarededfor_ip file { 'geoip.conf': ensure => file, diff --git a/apache/manifests/mod/ssl.pp b/apache/manifests/mod/ssl.pp index 4a6b82334..9e68d21b7 100644 --- a/apache/manifests/mod/ssl.pp +++ b/apache/manifests/mod/ssl.pp @@ -2,6 +2,7 @@ $ssl_compression = false, $ssl_cryptodevice = 'builtin', $ssl_options = [ 'StdEnvVars' ], + $ssl_openssl_conf_cmd = undef, $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5', $ssl_honorcipherorder = 'On', $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], @@ -57,6 +58,7 @@ # $ssl_cipher # $ssl_honorcipherorder # $ssl_options + # $ssl_openssl_conf_cmd # $session_cache # $ssl_mutex # $ssl_random_seed_bytes diff --git a/apache/manifests/vhost.pp b/apache/manifests/vhost.pp index 17f61e313..976bd1f8b 100644 --- a/apache/manifests/vhost.pp +++ b/apache/manifests/vhost.pp @@ -26,6 +26,7 @@ $ssl_verify_client = undef, $ssl_verify_depth = undef, $ssl_options = undef, + $ssl_openssl_conf_cmd = undef, $ssl_proxyengine = false, $priority = undef, $default_vhost = false, @@ -627,7 +628,7 @@ # - $proxy_pass_match # - $proxy_preserve_host # - $no_proxy_uris - if $proxy_dest or $proxy_pass or $proxy_pass_match { + if $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match { concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", order => 140, @@ -729,6 +730,7 @@ # - $ssl_verify_client # - $ssl_verify_depth # - $ssl_options + # - $ssl_openssl_conf_cmd # - $apache_version if $ssl { concat::fragment { "${name}-ssl": diff --git a/apache/spec/acceptance/basic_spec.rb b/apache/spec/acceptance/basic_spec.rb deleted file mode 100644 index 6c2b3f462..000000000 --- a/apache/spec/acceptance/basic_spec.rb +++ /dev/null @@ -1,12 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'disable selinux:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - it "because otherwise apache won't work" do - apply_manifest(%{ - exec { "setenforce 0": - path => "/bin:/sbin:/usr/bin:/usr/sbin", - onlyif => "which setenforce && getenforce | grep Enforcing", - } - }, :catch_failures => true) - end -end diff --git a/apache/spec/acceptance/mod_security_spec.rb b/apache/spec/acceptance/mod_security_spec.rb index 60295787e..18de2804e 100644 --- a/apache/spec/acceptance/mod_security_spec.rb +++ b/apache/spec/acceptance/mod_security_spec.rb @@ -18,6 +18,18 @@ pp = "class { 'epel': }" apply_manifest(pp, :catch_failures => true) end + elsif fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' + it 'changes obsoletes, per PUP-4497' do + pp = <<-EOS + ini_setting { 'obsoletes': + path => '/etc/yum.conf', + section => 'main', + setting => 'obsoletes', + value => '0', + } + EOS + apply_manifest(pp, :catch_failures => true) + end end it 'succeeds in puppeting mod_security' do diff --git a/apache/spec/classes/mod/ssl_spec.rb b/apache/spec/classes/mod/ssl_spec.rb index 50aa8292f..1e8b94edc 100644 --- a/apache/spec/classes/mod/ssl_spec.rb +++ b/apache/spec/classes/mod/ssl_spec.rb @@ -136,5 +136,14 @@ end it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLRandomSeed startup file:/dev/urandom 1024$})} end + + context 'setting ssl_openssl_conf_cmd' do + let :params do + { + :ssl_openssl_conf_cmd => 'DHParameters "foo.pem"', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$/)} + end end end diff --git a/apache/spec/defines/vhost_spec.rb b/apache/spec/defines/vhost_spec.rb index 47c1b1f45..325a06333 100644 --- a/apache/spec/defines/vhost_spec.rb +++ b/apache/spec/defines/vhost_spec.rb @@ -153,6 +153,7 @@ 'ssl_verify_client' => 'optional', 'ssl_verify_depth' => '3', 'ssl_options' => '+ExportCertData', + 'ssl_openssl_conf_cmd' => 'DHParameters "foo.pem"', 'ssl_proxyengine' => true, 'priority' => '30', 'default_vhost' => true, @@ -398,6 +399,8 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') } it { is_expected.to contain_concat__fragment('rspec.example.com-setenv') } it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with( + :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') } it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') } it { is_expected.to contain_concat__fragment('rspec.example.com-header') } @@ -411,6 +414,30 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end + context 'proxy_pass_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_pass_match' => [ + { + 'path' => '.*', + 'url' => 'http://backend-a/', + } + ], + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassMatch .* http:\/\/backend-a\//).with_content(/## Proxy rules/) } + end + context 'proxy_dest_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_dest_match' => '/' + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(/## Proxy rules/) } + end context 'not everything can be set together...' do let :params do { diff --git a/apache/spec/spec_helper_acceptance.rb b/apache/spec/spec_helper_acceptance.rb index 66d1d7c43..6304c222b 100644 --- a/apache/spec/spec_helper_acceptance.rb +++ b/apache/spec/spec_helper_acceptance.rb @@ -1,25 +1,8 @@ require 'beaker-rspec/spec_helper' require 'beaker-rspec/helpers/serverspec' +require 'beaker/puppet_install_helper' - -unless ENV['RS_PROVISION'] == 'no' - # This will install the latest available package on el and deb based - # systems fail on windows and osx, and install via gem on other *nixes - foss_opts = { - :default_action => 'gem_install', - :version => (ENV['PUPPET_VERSION'] || '3.8.1'), - } - - if default.is_pe?; then install_pe; else install_puppet( foss_opts ); end - - hosts.each do |host| - if host['platform'] =~ /debian/ - on host, 'echo \'export PATH=/var/lib/gems/1.8/bin/:${PATH}\' >> ~/.bashrc' - end - - on host, "mkdir -p #{host['distmoduledir']}" - end -end +run_puppet_install_helper UNSUPPORTED_PLATFORMS = ['Suse','windows','AIX','Solaris'] @@ -38,6 +21,7 @@ # Required for mod_passenger tests. if fact('osfamily') == 'RedHat' on host, puppet('module','install','stahnma/epel'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module','install','puppetlabs/inifile'), { :acceptable_exit_codes => [0,1] } end # Required for manifest to make mod_pagespeed repository available if fact('osfamily') == 'Debian' @@ -45,6 +29,13 @@ end on host, puppet('module','install','puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } on host, puppet('module','install','puppetlabs-concat', '--version 1.1.1', '--force'), { :acceptable_exit_codes => [0,1] } + + # Make sure selinux is disabled before each test or apache won't work. + if ! UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) + on host, puppet('apply', '-e', + %{"exec { 'setenforce 0': path => '/bin:/sbin:/usr/bin:/usr/sbin', onlyif => 'which setenforce && getenforce | grep Enforcing', }"}), + { :acceptable_exit_codes => [0] } + end end end end diff --git a/apache/templates/mod/geoip.conf.erb b/apache/templates/mod/geoip.conf.erb index 84b5dfe92..00e61d98b 100644 --- a/apache/templates/mod/geoip.conf.erb +++ b/apache/templates/mod/geoip.conf.erb @@ -16,6 +16,9 @@ GeoIPEnableUTF8 <%= scope.function_bool2httpd([@enable_utf8]) %> <% if ! @scan_proxy_headers.nil? -%> GeoIPScanProxyHeaders <%= scope.function_bool2httpd([@scan_proxy_headers]) %> <% end -%> +<% if ! @scan_proxy_header_field.nil? -%> +GeoIPScanProxyHeaderField <%= @scan_proxy_header_field %> +<% end -%> <% if ! @use_last_xforwarededfor_ip.nil? -%> GeoIPUseLastXForwardedForIP <%= scope.function_bool2httpd([@use_last_xforwarededfor_ip]) %> <% end -%> diff --git a/apache/templates/mod/ssl.conf.erb b/apache/templates/mod/ssl.conf.erb index 933aa1fcc..96b80b003 100644 --- a/apache/templates/mod/ssl.conf.erb +++ b/apache/templates/mod/ssl.conf.erb @@ -25,4 +25,7 @@ <% if @ssl_options -%> SSLOptions <%= @ssl_options.compact.join(' ') %> <% end -%> +<%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> +<%- end -%> diff --git a/apache/templates/vhost/_proxy.erb b/apache/templates/vhost/_proxy.erb index f290fcb76..157e2ef40 100644 --- a/apache/templates/vhost/_proxy.erb +++ b/apache/templates/vhost/_proxy.erb @@ -1,4 +1,4 @@ -<% if @proxy_dest or @proxy_pass -%> +<% if @proxy_dest or @proxy_pass or @proxy_pass_match or @proxy_dest_match -%> ## Proxy rules ProxyRequests Off diff --git a/apache/templates/vhost/_ssl.erb b/apache/templates/vhost/_ssl.erb index 516992558..c2d941350 100644 --- a/apache/templates/vhost/_ssl.erb +++ b/apache/templates/vhost/_ssl.erb @@ -43,4 +43,7 @@ <%- if @ssl_options -%> SSLOptions <%= Array(@ssl_options).join(' ') %> <%- end -%> + <%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> + <%- end -%> <% end -%>