From 30886fe1499126c083ec74efdd992ecb2872965f Mon Sep 17 00:00:00 2001 From: Lukas Bezdicka Date: Tue, 23 Jun 2015 10:52:44 +0200 Subject: [PATCH] Update apache to 44b0f0f851119c6504628b287f1776f303f22f99 44b0f0f851119c6504628b287f1776f303f22f99 Merge pull request #1145 from jonnytpuppet/fix_vhost_proxy 4da8f4949977bfbbed702bb4ab6a2fbed11a9ffb Fix test condition for proxy directives. e2676682ae3181460d17d844357b6259bc5c30ca Merge pull request #1144 from mhaskel/7b_testing 3aff134feadfbdd5280606064c6c2fd59360e5f5 Set obsoletes=0 on el7 to work around PUP-4497 3d239583434ec7f07246b319038a822b6eb3fda6 Merge pull request #1128 from dgarbus/geoip_scanproxyheaderfield 4c5e17165e2646ea0098015cb7dc3475732d3a1f Merge pull request #1127 from tmuellerleile/add-openssl-conf-cmd 22b2dd998644a0971df7cbbd757c4f8464c2c329 Merge pull request #1142 from mhaskel/merge_1.5.x_to_master 44bc7216a4501da453eb4143773e42baeb870daf makes the acceptance tests more robust by ensuring selinux is disabled on all runs. 4f386295d9c6783dc1737c65f200bfea1aa06cfa fixes bug introduced by PR1133 27d7074fa7cf6f6aae083734e93e82141dce6dd2 Updated changelog c054232b398605f900cf02995679b26ce7f215fa Amazon Linux does not support systemd. Having the versioncmp makes this fail on newer versions (which do not yet support systemd). Run this on 2015.03 and you end up with an apache server that will not start. 09ce83ef037a3a3c9fba0f5cac3746fa4ddcbb5b Incorrect date in the changelog c7ce06cac84c2c57c5fb25852f2e8573555607d0 Add ssl_openssl_conf_cmd param (apache::mod::ssl and apache::vhost) 5e321ce349910484b7db7ec709d89d803397eec5 Merge pull request #1140 from hunner/add_puppet_helper 4069e79b1fce1714f2966c82259e51e2344ecfbf Add the helper to install puppet/pe/puppet-agent f71a8dec1af1f50c64a0280b633981e8d93c0409 Adding docs for apache::mod::geoip per puppetlabs/puppetlabs-apache#1128 dbbd1d9c70b98fc8e4a500bb32f98b2908db99da Merge remote-tracking branch 'upstream/master' into geoip_scanproxyheaderfield 4673e29e0328ea6e8410a5f59e9545372d0111f4 Add the ability to specify GeoIPScanProxyHeaderField for mod_geoip Change-Id: I82734825f168614326d6005bb2ac6c5a43ef3688 --- Puppetfile | 2 +- apache/CHANGELOG.md | 4 +- apache/Gemfile | 1 + apache/README.md | 45 ++++++++++++++++++--- apache/manifests/default_mods.pp | 2 +- apache/manifests/mod/geoip.pp | 2 + apache/manifests/mod/ssl.pp | 2 + apache/manifests/vhost.pp | 4 +- apache/spec/acceptance/basic_spec.rb | 12 ------ apache/spec/acceptance/mod_security_spec.rb | 12 ++++++ apache/spec/classes/mod/ssl_spec.rb | 9 +++++ apache/spec/defines/vhost_spec.rb | 27 +++++++++++++ apache/spec/spec_helper_acceptance.rb | 29 +++++-------- apache/templates/mod/geoip.conf.erb | 3 ++ apache/templates/mod/ssl.conf.erb | 3 ++ apache/templates/vhost/_proxy.erb | 2 +- apache/templates/vhost/_ssl.erb | 3 ++ 17 files changed, 120 insertions(+), 42 deletions(-) delete mode 100644 apache/spec/acceptance/basic_spec.rb diff --git a/Puppetfile b/Puppetfile index 1fa3787a9..ab8844c2f 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,5 +1,5 @@ mod 'apache', - :commit => '84219d81079b901a1400660757e399c365dacbda', + :commit => '44b0f0f851119c6504628b287f1776f303f22f99', :git => 'https://github.com/puppetlabs/puppetlabs-apache.git' mod 'aviator', diff --git a/apache/CHANGELOG.md b/apache/CHANGELOG.md index 6e0b1ee87..7a722a8a9 100644 --- a/apache/CHANGELOG.md +++ b/apache/CHANGELOG.md @@ -1,10 +1,9 @@ -##2015-06-16 - Supported Release 1.5.0 +##2015-06-11 - Supported Release 1.5.0 ### Summary This release primarily adds Suse compatibility. It also adds a handful of other parameters for greater configuration control. ### Features -- Now compatible with concat 1.x and 2.x - Add `apache::lib_path` parameter - Add `apache::service_restart` parameter - Add `apache::vhost::geoip_enable` parameter @@ -29,6 +28,7 @@ parameters for greater configuration control. - Fix alias module being declared even when vhost is absent - Fix proxy\_pass\_match handling in vhost's proxy template - Fix userdir access permissions +- Fix issue where the module was trying to use systemd on Amazon Linux. ##2015-04-28 - Supported Release 1.4.1 diff --git a/apache/Gemfile b/apache/Gemfile index 2b1b7cd8d..bfe64b186 100644 --- a/apache/Gemfile +++ b/apache/Gemfile @@ -28,6 +28,7 @@ group :system_tests do gem 'beaker-rspec', :require => false end gem 'serverspec', :require => false + gem 'beaker-puppet_install_helper', :require => false end diff --git a/apache/README.md b/apache/README.md index 087bbc869..68a91e94c 100644 --- a/apache/README.md +++ b/apache/README.md @@ -666,14 +666,44 @@ These are the default settings: ```puppet class {'apache::mod::geoip': - $enable => false, - $db_file => '/usr/share/GeoIP/GeoIP.dat', - $flag => 'Standard', - $output => 'All', + enable => false, + db_file => '/usr/share/GeoIP/GeoIP.dat', + flag => 'Standard', + output => 'All', } ``` -The parameter `db_file` can be a single directory or a hash of directories. +#####`enable` + +Boolean. Enable or Disable mod_geoip globally. Defaults to false. + +#####`db_file` + +The full path to your GeoIP database file. Defaults to `/usr/share/GeoIP/GeoIP.dat`. This parameter optionally takes an array of paths for multiple GeoIP database files. + +#####`flag` + +GeoIP Flag. Defaults to 'Standard'. + +#####`output` + +Defines which output variables to use. Defaults to 'All'. + +#####`enable_utf8` + +Boolean. Changes the output from ISO-8859-1 (Latin-1) to UTF-8. + +#####`scan_proxy_headers` + +Boolean. Enables the GeoIPScanProxyHeaders option. More information can be found [here](http://dev.maxmind.com/geoip/legacy/mod_geoip2/#Proxy-Related_Directives). + +#####`scan_proxy_header_field` + +Specifies which header that mod_geoip should look at to determine the client's IP address. + +#####`use_last_xforwarededfor_ip` + +Boolean. If a comma-separated list of IP addresses is found, use the last IP address for the client's IP. ####Class: `apache::mod::info` @@ -823,6 +853,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t ssl_compression => false, ssl_cryptodevice => 'builtin', ssl_options => [ 'StdEnvVars' ], + ssl_openssl_conf_cmd => undef, ssl_cipher => 'HIGH:MEDIUM:!aNULL:!MD5', ssl_honorcipherorder => 'On', ssl_protocol => [ 'all', '-SSLv2', '-SSLv3' ], @@ -2251,6 +2282,10 @@ An array: } ``` +#####`ssl_openssl_conf_cmd` + +Sets the [SSLOpenSSLConfCmd](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters. Defaults to 'undef'. + #####`ssl_proxyengine` Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid values are 'true' and 'false'. Defaults to 'false'. diff --git a/apache/manifests/default_mods.pp b/apache/manifests/default_mods.pp index 0d8969ca6..9e3c2c69a 100644 --- a/apache/manifests/default_mods.pp +++ b/apache/manifests/default_mods.pp @@ -12,7 +12,7 @@ if versioncmp($apache_version, '2.4') >= 0 { # Lets fork it # Do not try to load mod_systemd on RHEL/CentOS 6 SCL. - if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon' and versioncmp($::operatingsystemrelease, '2014.09') <= 0 ) ) { + if ( !($::osfamily == 'redhat' and versioncmp($::operatingsystemrelease, '7.0') == -1) and !($::operatingsystem == 'Amazon') ) { ::apache::mod { 'systemd': } } ::apache::mod { 'unixd': } diff --git a/apache/manifests/mod/geoip.pp b/apache/manifests/mod/geoip.pp index 4e87cb96a..1f8fb08ee 100644 --- a/apache/manifests/mod/geoip.pp +++ b/apache/manifests/mod/geoip.pp @@ -5,6 +5,7 @@ $output = 'All', $enable_utf8 = undef, $scan_proxy_headers = undef, + $scan_proxy_header_field = undef, $use_last_xforwarededfor_ip = undef, ) { ::apache::mod { 'geoip': } @@ -16,6 +17,7 @@ # - output # - enable_utf8 # - scan_proxy_headers + # - scan_proxy_header_field # - use_last_xforwarededfor_ip file { 'geoip.conf': ensure => file, diff --git a/apache/manifests/mod/ssl.pp b/apache/manifests/mod/ssl.pp index 4a6b82334..9e68d21b7 100644 --- a/apache/manifests/mod/ssl.pp +++ b/apache/manifests/mod/ssl.pp @@ -2,6 +2,7 @@ $ssl_compression = false, $ssl_cryptodevice = 'builtin', $ssl_options = [ 'StdEnvVars' ], + $ssl_openssl_conf_cmd = undef, $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5', $ssl_honorcipherorder = 'On', $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], @@ -57,6 +58,7 @@ # $ssl_cipher # $ssl_honorcipherorder # $ssl_options + # $ssl_openssl_conf_cmd # $session_cache # $ssl_mutex # $ssl_random_seed_bytes diff --git a/apache/manifests/vhost.pp b/apache/manifests/vhost.pp index 17f61e313..976bd1f8b 100644 --- a/apache/manifests/vhost.pp +++ b/apache/manifests/vhost.pp @@ -26,6 +26,7 @@ $ssl_verify_client = undef, $ssl_verify_depth = undef, $ssl_options = undef, + $ssl_openssl_conf_cmd = undef, $ssl_proxyengine = false, $priority = undef, $default_vhost = false, @@ -627,7 +628,7 @@ # - $proxy_pass_match # - $proxy_preserve_host # - $no_proxy_uris - if $proxy_dest or $proxy_pass or $proxy_pass_match { + if $proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match { concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", order => 140, @@ -729,6 +730,7 @@ # - $ssl_verify_client # - $ssl_verify_depth # - $ssl_options + # - $ssl_openssl_conf_cmd # - $apache_version if $ssl { concat::fragment { "${name}-ssl": diff --git a/apache/spec/acceptance/basic_spec.rb b/apache/spec/acceptance/basic_spec.rb deleted file mode 100644 index 6c2b3f462..000000000 --- a/apache/spec/acceptance/basic_spec.rb +++ /dev/null @@ -1,12 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'disable selinux:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - it "because otherwise apache won't work" do - apply_manifest(%{ - exec { "setenforce 0": - path => "/bin:/sbin:/usr/bin:/usr/sbin", - onlyif => "which setenforce && getenforce | grep Enforcing", - } - }, :catch_failures => true) - end -end diff --git a/apache/spec/acceptance/mod_security_spec.rb b/apache/spec/acceptance/mod_security_spec.rb index 60295787e..18de2804e 100644 --- a/apache/spec/acceptance/mod_security_spec.rb +++ b/apache/spec/acceptance/mod_security_spec.rb @@ -18,6 +18,18 @@ pp = "class { 'epel': }" apply_manifest(pp, :catch_failures => true) end + elsif fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '7' + it 'changes obsoletes, per PUP-4497' do + pp = <<-EOS + ini_setting { 'obsoletes': + path => '/etc/yum.conf', + section => 'main', + setting => 'obsoletes', + value => '0', + } + EOS + apply_manifest(pp, :catch_failures => true) + end end it 'succeeds in puppeting mod_security' do diff --git a/apache/spec/classes/mod/ssl_spec.rb b/apache/spec/classes/mod/ssl_spec.rb index 50aa8292f..1e8b94edc 100644 --- a/apache/spec/classes/mod/ssl_spec.rb +++ b/apache/spec/classes/mod/ssl_spec.rb @@ -136,5 +136,14 @@ end it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLRandomSeed startup file:/dev/urandom 1024$})} end + + context 'setting ssl_openssl_conf_cmd' do + let :params do + { + :ssl_openssl_conf_cmd => 'DHParameters "foo.pem"', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(/^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$/)} + end end end diff --git a/apache/spec/defines/vhost_spec.rb b/apache/spec/defines/vhost_spec.rb index 47c1b1f45..325a06333 100644 --- a/apache/spec/defines/vhost_spec.rb +++ b/apache/spec/defines/vhost_spec.rb @@ -153,6 +153,7 @@ 'ssl_verify_client' => 'optional', 'ssl_verify_depth' => '3', 'ssl_options' => '+ExportCertData', + 'ssl_openssl_conf_cmd' => 'DHParameters "foo.pem"', 'ssl_proxyengine' => true, 'priority' => '30', 'default_vhost' => true, @@ -398,6 +399,8 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') } it { is_expected.to contain_concat__fragment('rspec.example.com-setenv') } it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') } + it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with( + :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) } it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') } it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') } it { is_expected.to contain_concat__fragment('rspec.example.com-header') } @@ -411,6 +414,30 @@ it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') } it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') } end + context 'proxy_pass_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_pass_match' => [ + { + 'path' => '.*', + 'url' => 'http://backend-a/', + } + ], + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content( + /ProxyPassMatch .* http:\/\/backend-a\//).with_content(/## Proxy rules/) } + end + context 'proxy_dest_match' do + let :params do + { + 'docroot' => '/rspec/docroot', + 'proxy_dest_match' => '/' + } + end + it { is_expected.to contain_concat__fragment('rspec.example.com-proxy').with_content(/## Proxy rules/) } + end context 'not everything can be set together...' do let :params do { diff --git a/apache/spec/spec_helper_acceptance.rb b/apache/spec/spec_helper_acceptance.rb index 66d1d7c43..6304c222b 100644 --- a/apache/spec/spec_helper_acceptance.rb +++ b/apache/spec/spec_helper_acceptance.rb @@ -1,25 +1,8 @@ require 'beaker-rspec/spec_helper' require 'beaker-rspec/helpers/serverspec' +require 'beaker/puppet_install_helper' - -unless ENV['RS_PROVISION'] == 'no' - # This will install the latest available package on el and deb based - # systems fail on windows and osx, and install via gem on other *nixes - foss_opts = { - :default_action => 'gem_install', - :version => (ENV['PUPPET_VERSION'] || '3.8.1'), - } - - if default.is_pe?; then install_pe; else install_puppet( foss_opts ); end - - hosts.each do |host| - if host['platform'] =~ /debian/ - on host, 'echo \'export PATH=/var/lib/gems/1.8/bin/:${PATH}\' >> ~/.bashrc' - end - - on host, "mkdir -p #{host['distmoduledir']}" - end -end +run_puppet_install_helper UNSUPPORTED_PLATFORMS = ['Suse','windows','AIX','Solaris'] @@ -38,6 +21,7 @@ # Required for mod_passenger tests. if fact('osfamily') == 'RedHat' on host, puppet('module','install','stahnma/epel'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module','install','puppetlabs/inifile'), { :acceptable_exit_codes => [0,1] } end # Required for manifest to make mod_pagespeed repository available if fact('osfamily') == 'Debian' @@ -45,6 +29,13 @@ end on host, puppet('module','install','puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } on host, puppet('module','install','puppetlabs-concat', '--version 1.1.1', '--force'), { :acceptable_exit_codes => [0,1] } + + # Make sure selinux is disabled before each test or apache won't work. + if ! UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) + on host, puppet('apply', '-e', + %{"exec { 'setenforce 0': path => '/bin:/sbin:/usr/bin:/usr/sbin', onlyif => 'which setenforce && getenforce | grep Enforcing', }"}), + { :acceptable_exit_codes => [0] } + end end end end diff --git a/apache/templates/mod/geoip.conf.erb b/apache/templates/mod/geoip.conf.erb index 84b5dfe92..00e61d98b 100644 --- a/apache/templates/mod/geoip.conf.erb +++ b/apache/templates/mod/geoip.conf.erb @@ -16,6 +16,9 @@ GeoIPEnableUTF8 <%= scope.function_bool2httpd([@enable_utf8]) %> <% if ! @scan_proxy_headers.nil? -%> GeoIPScanProxyHeaders <%= scope.function_bool2httpd([@scan_proxy_headers]) %> <% end -%> +<% if ! @scan_proxy_header_field.nil? -%> +GeoIPScanProxyHeaderField <%= @scan_proxy_header_field %> +<% end -%> <% if ! @use_last_xforwarededfor_ip.nil? -%> GeoIPUseLastXForwardedForIP <%= scope.function_bool2httpd([@use_last_xforwarededfor_ip]) %> <% end -%> diff --git a/apache/templates/mod/ssl.conf.erb b/apache/templates/mod/ssl.conf.erb index 933aa1fcc..96b80b003 100644 --- a/apache/templates/mod/ssl.conf.erb +++ b/apache/templates/mod/ssl.conf.erb @@ -25,4 +25,7 @@ <% if @ssl_options -%> SSLOptions <%= @ssl_options.compact.join(' ') %> <% end -%> +<%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> +<%- end -%> diff --git a/apache/templates/vhost/_proxy.erb b/apache/templates/vhost/_proxy.erb index f290fcb76..157e2ef40 100644 --- a/apache/templates/vhost/_proxy.erb +++ b/apache/templates/vhost/_proxy.erb @@ -1,4 +1,4 @@ -<% if @proxy_dest or @proxy_pass -%> +<% if @proxy_dest or @proxy_pass or @proxy_pass_match or @proxy_dest_match -%> ## Proxy rules ProxyRequests Off diff --git a/apache/templates/vhost/_ssl.erb b/apache/templates/vhost/_ssl.erb index 516992558..c2d941350 100644 --- a/apache/templates/vhost/_ssl.erb +++ b/apache/templates/vhost/_ssl.erb @@ -43,4 +43,7 @@ <%- if @ssl_options -%> SSLOptions <%= Array(@ssl_options).join(' ') %> <%- end -%> + <%- if @ssl_openssl_conf_cmd -%> + SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %> + <%- end -%> <% end -%>