From d399d3d05a3d5bfe6555ae6a39dc6e28f0b906a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 17 Sep 2013 14:35:53 +0300 Subject: [PATCH 1/9] ldap: Ugly kludges to get ldap::auth working on Fedora 19. --- ldap/manifests/init.pp | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index 7e9efac..a59883a 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -95,14 +95,32 @@ class ldap::auth inherits ldap::client { } } Fedora: { - package { [ "sssd", "pam_ldap", ]: + package { "sssd": ensure => installed, } - exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"', - before => Augeas["sssd-conf"], - require => Package["authconfig", "sssd", "pam_ldap"], + if $::operatingsystemrelease < 19 { + package { "pam_ldap": + ensure => installed, + before => Package["sssd"], + } + exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"', + before => Augeas["sssd-conf"], + require => [ Package["authconfig"], Package["sssd"], ], + } + } else { + exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --krb5realm='' --update": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + creates => "/etc/sssd/sssd.conf", + require => [ Package["authconfig"], Package["sssd"], ], + notify => Exec["authconfig --enablesssd --update"], + } + exec { "authconfig --enablesssd --update": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + refreshonly => true, + before => Augeas["sssd-conf"], + } } augeas { "sssd-conf": changes => [ @@ -113,7 +131,7 @@ class ldap::auth inherits ldap::client { ], incl => "/etc/sssd/sssd.conf", lens => "MySQL.lns", - before => Service["sssd"], + notify => Service["sssd"], } service { "sssd": ensure => running, From 98b89b0fe0d2a003fa5a8dcc0bf9d9977de6a578 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 17 Sep 2013 15:27:45 +0300 Subject: [PATCH 2/9] network: Fixed setting hostname during Fedora 19 kickstart. --- network/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/manifests/init.pp b/network/manifests/init.pp index ac7f374..05bf243 100644 --- a/network/manifests/init.pp +++ b/network/manifests/init.pp @@ -74,7 +74,7 @@ class network::hostname { } } "fedora": { - if $::operatingsystemrelease > 17 { + if versioncmp($::operatingsystemrelease, "17") == 1 { file { "/etc/hostname": ensure => present, content => "${homename}\n", From 917ea4c93d06bf716e6c105fc4c1db7fbd39ba88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 17 Sep 2013 15:37:01 +0300 Subject: [PATCH 3/9] ldap: Fixed ldap::auth when running from Fedora 19 kickstart. --- ldap/manifests/init.pp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index a59883a..23be41d 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -98,18 +98,7 @@ class ldap::auth inherits ldap::client { package { "sssd": ensure => installed, } - if $::operatingsystemrelease < 19 { - package { "pam_ldap": - ensure => installed, - before => Package["sssd"], - } - exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"', - before => Augeas["sssd-conf"], - require => [ Package["authconfig"], Package["sssd"], ], - } - } else { + if versioncmp($::operatingsystemrelease, "18") == 1 { exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --krb5realm='' --update": path => "/bin:/usr/bin:/sbin:/usr/sbin", creates => "/etc/sssd/sssd.conf", @@ -121,6 +110,17 @@ class ldap::auth inherits ldap::client { refreshonly => true, before => Augeas["sssd-conf"], } + } else { + package { "pam_ldap": + ensure => installed, + before => Package["sssd"], + } + exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enablesssd --krb5realm='' --update": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"', + before => Augeas["sssd-conf"], + require => [ Package["authconfig"], Package["sssd"], ], + } } augeas { "sssd-conf": changes => [ From ea4d4d37cdb186ffe84f2b1ac07f28395ffafd77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 17 Sep 2013 16:18:05 +0300 Subject: [PATCH 4/9] firewall: Fixed errors running puppet during Fedora 19 kickstart. --- firewall/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp index 42aaaad..225285f 100644 --- a/firewall/manifests/init.pp +++ b/firewall/manifests/init.pp @@ -111,7 +111,7 @@ class firewall::common::iptables { } $ip6states = versioncmp($::kernelversion, "2.6.20") - if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 { + if $::operatingsystem == "Fedora" and versioncmp($::operatingsystemrelease, "17") == 1 { package { "firewall-config": ensure => absent, before => Package["firewalld"], From f7f0f2fb36b87f09704f206d534a2aace7ee07ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 18 Sep 2013 12:33:24 +0300 Subject: [PATCH 5/9] nagios: Added IPP and LPD service target support. --- nagios/manifests/target.pp | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/nagios/manifests/target.pp b/nagios/manifests/target.pp index d47d8cf..99f4cbd 100644 --- a/nagios/manifests/target.pp +++ b/nagios/manifests/target.pp @@ -111,6 +111,18 @@ class nagios::target::imaps inherits nagios::target { } +# Configure ipp service target. +# +class nagios::target::ipp inherits nagios::target { + + @@nagios::service { "${::homename}_ipp": + command => "check_http!-p 631", + description => "IPP", + } + +} + + # Configure ldap service target. # class nagios::target::ldap inherits nagios::target { @@ -135,6 +147,18 @@ class nagios::target::ldaps inherits nagios::target { } +# Configure lpd service target. +# +class nagios::target::lpd inherits nagios::target { + + @@nagios::service { "${::homename}_lpd": + command => "check_tcp!515", + description => "LPD", + } + +} + + # Configure pop3 service target. # class nagios::target::pop3s inherits nagios::target { From f500ae452db2469c32d6e597f81a66d4b082686d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 18 Sep 2013 14:00:44 +0300 Subject: [PATCH 6/9] sendmail: Added certificate authentication support into sendmail::client::msa. --- sendmail/manifests/init.pp | 64 ++++++++++++++++++++++++++++ sendmail/templates/submit.mc.msa.erb | 6 +++ 2 files changed, 70 insertions(+) diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp index 9dcad6b..58f4646 100644 --- a/sendmail/manifests/init.pp +++ b/sendmail/manifests/init.pp @@ -141,8 +141,72 @@ class sendmail::client inherits sendmail::common { # Configure Sendmail submission using port 587. # +# === Global variables: +# +# $mail_server: +# Hostname of mail server. +# +# $sendmail_ssl_key: +# Path to SSL key file used for authentication. If not set no +# certificate authentication will be performed. +# +# $sendmail_ssl_cert: +# Path to SSL certificate file used for authentication. If not set no +# certificate authentication will be performed. +# class sendmail::client::msa inherits sendmail::client { + if $sendmail_ssl_key and $sendmail_ssl_cert { + + include ssl + + $ssl_key = basename($sendmail_ssl_key) + $ssl_cert = basename($sendmail_ssl_cert) + file { "${ssl::private}/${ssl_key}": + ensure => present, + mode => "0640", + owner => "root", + group => "smmsp", + source => $sendmail_ssl_key, + notify => Service["sendmail"], + } + file { "${ssl::certs}/${ssl_cert}": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + source => $sendmail_ssl_cert, + notify => Service["sendmail"], + } + + file { "/etc/mail/authinfo": + ensure => present, + content => "AuthInfo:${mail_server} \"U: \" \"P: \" \"M:EXTERNAL\"\n", + mode => "0640", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + notify => Exec["make authinfo.db"], + } + exec { "make authinfo.db": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "makemap hash /etc/mail/authinfo < /etc/mail/authinfo", + refreshonly => true, + notify => Service["sendmail"], + } + file { "/etc/mail/authinfo.db": + ensure => present, + mode => "0640", + owner => "root", + group => "smmsp", + require => Exec["make authinfo.db"], + before => Service["sendmail"], + } + + } + File["/etc/mail/submit.mc"] { content => template("sendmail/submit.mc.erb", "sendmail/submit.mc.msa.erb"), } diff --git a/sendmail/templates/submit.mc.msa.erb b/sendmail/templates/submit.mc.msa.erb index 24261a7..ff777f2 100644 --- a/sendmail/templates/submit.mc.msa.erb +++ b/sendmail/templates/submit.mc.msa.erb @@ -1 +1,7 @@ +<% if @ssl_key and @ssl_cert -%> +define(`confCLIENT_CERT', `<%= scope.lookupvar('ssl::certs') %>/<%= @ssl_cert %>') +define(`confCLIENT_KEY', `<%= scope.lookupvar('ssl::private') %>/<%= @ssl_key %>') +define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') +FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/authinfo')dnl +<% end -%> FEATURE(`msp', `[<%= @mail_server %>]', `MSA')dnl From 165ec9cbe495fbcf70777cd194bc6cf11f5a3747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Thu, 19 Sep 2013 00:06:04 +0300 Subject: [PATCH 7/9] sendmail: Clarified comments from sendmail::client::msa. --- sendmail/manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp index 58f4646..c965108 100644 --- a/sendmail/manifests/init.pp +++ b/sendmail/manifests/init.pp @@ -147,12 +147,12 @@ class sendmail::client inherits sendmail::common { # Hostname of mail server. # # $sendmail_ssl_key: -# Path to SSL key file used for authentication. If not set no -# certificate authentication will be performed. +# Path to SSL key file used for authentication. If not set +# certificate authentication will be disabled. # # $sendmail_ssl_cert: -# Path to SSL certificate file used for authentication. If not set no -# certificate authentication will be performed. +# Path to SSL certificate file used for authentication. If not set +# certificate authentication will be disabled. # class sendmail::client::msa inherits sendmail::client { From 6cebef3715dc4d68dd91664f46d9affea7e4a32e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 24 Sep 2013 11:21:29 +0300 Subject: [PATCH 8/9] apache: Combined proxy.http.conf.erb to site.http.conf.erb. --- apache/manifests/debian.pp | 38 +++++++++++++--------------- apache/manifests/redhat.pp | 32 +++++++++++------------ apache/templates/proxy.http.conf.erb | 10 -------- apache/templates/site.http.conf.erb | 5 ++++ 4 files changed, 38 insertions(+), 47 deletions(-) delete mode 100644 apache/templates/proxy.http.conf.erb diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp index 98c96cb..28f100b 100644 --- a/apache/manifests/debian.pp +++ b/apache/manifests/debian.pp @@ -88,7 +88,7 @@ class apache::debian::server inherits apache::debian::common { } -define apache::debian::site($aliases, $root, $redirect) { +define apache::debian::site($aliases, $root, $redirect, $proxy) { if $name == "default" { $site_fqdn = $homename @@ -100,7 +100,7 @@ define apache::debian::site($aliases, $root, $redirect) { $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}.d" if !$redirect { - if !$proxy { + if $proxy == "" { if $root { file { "/srv/www/http/${site_fqdn}": ensure => link, @@ -131,8 +131,8 @@ define apache::debian::site($aliases, $root, $redirect) { file { $site_conf: ensure => present, mode => "0644", - owner => root, - group => root, + owner => "root", + group => "root", notify => Service["apache2"], } @@ -140,26 +140,24 @@ define apache::debian::site($aliases, $root, $redirect) { File[$site_conf] { content => "\n ServerName ${site_fqdn}\n Redirect permanent / ${redirect}\n\n", } - } elsif $proxy { - File[$site_conf] { - content => template("apache/proxy.http.conf.erb"), - } } else { File[$site_conf] { content => template("apache/site.http.conf.erb"), } - file { $site_confdir: - ensure => directory, - mode => "0644", - owner => root, - group => root, - purge => true, - force => true, - recurse => true, - source => [ "puppet:///files/apache/sites/${site_fqdn}", - "puppet:///modules/custom/empty", ], - before => File[$site_conf], - notify => Service["apache2"], + if $proxy == "" { + file { $site_confdir: + ensure => directory, + mode => "0644", + owner => "root", + group => "root", + purge => true, + force => true, + recurse => true, + source => [ "puppet:///files/apache/sites/${site_fqdn}", + "puppet:///modules/custom/empty", ], + before => File[$site_conf], + notify => Service["apache2"], + } } } diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp index f72ce64..86eb500 100644 --- a/apache/manifests/redhat.pp +++ b/apache/manifests/redhat.pp @@ -57,7 +57,7 @@ define apache::redhat::site($aliases, $root, $redirect, $proxy) { $site_confdir = "/etc/httpd/site.http.d/${site_fqdn}.d" if !$redirect { - if !$proxy { + if $proxy == "" { if $root { file { "/srv/www/http/${site_fqdn}": ensure => link, @@ -98,26 +98,24 @@ define apache::redhat::site($aliases, $root, $redirect, $proxy) { File[$site_conf] { content => "\n ServerName ${site_fqdn}\n Redirect permanent / ${redirect}\n\n", } - } elsif $proxy { - File[$site_conf] { - content => template("apache/proxy.http.conf.erb"), - } } else { File[$site_conf] { content => template("apache/site.http.conf.erb"), } - file { $site_confdir: - ensure => directory, - mode => "0644", - owner => root, - group => root, - purge => true, - force => true, - recurse => true, - source => [ "puppet:///files/apache/sites/${site_fqdn}", - "puppet:///modules/apache/emptysite", ], - before => File[$site_conf], - notify => Service["httpd"], + if $proxy == "" { + file { $site_confdir: + ensure => directory, + mode => "0644", + owner => "root", + group => "root", + purge => true, + force => true, + recurse => true, + source => [ "puppet:///files/apache/sites/${site_fqdn}", + "puppet:///modules/apache/emptysite", ], + before => File[$site_conf], + notify => Service["httpd"], + } } } diff --git a/apache/templates/proxy.http.conf.erb b/apache/templates/proxy.http.conf.erb deleted file mode 100644 index 06b4c83..0000000 --- a/apache/templates/proxy.http.conf.erb +++ /dev/null @@ -1,10 +0,0 @@ - - ServerName <%= @site_fqdn %> -<% if @aliases != "" -%> - ServerAlias <%= @aliases %> -<% end -%> - ErrorLog /srv/www/log/http/<%= @site_fqdn %>/error_log - CustomLog /srv/www/log/http/<%= @site_fqdn %>/access_log combined - ProxyPass / <%= @proxy %>/ - ProxyPassReverse / <%= @proxy %>/ - diff --git a/apache/templates/site.http.conf.erb b/apache/templates/site.http.conf.erb index 866939d..8624adb 100644 --- a/apache/templates/site.http.conf.erb +++ b/apache/templates/site.http.conf.erb @@ -5,6 +5,11 @@ <% end -%> ErrorLog /srv/www/log/http/<%= @site_fqdn %>/error_log CustomLog /srv/www/log/http/<%= @site_fqdn %>/access_log combined +<% if @proxy != "" -%> + ProxyPass / <%= @proxy %>/ + ProxyPassReverse / <%= @proxy %>/ +<% else -%> DocumentRoot /srv/www/http/<%= @site_fqdn %> Include <%= @site_confdir %>/*.conf +<% end -%> From 06eb2bdf9a388f6c57a21f9db25f2e6d8a7ccd63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 24 Sep 2013 11:40:56 +0300 Subject: [PATCH 9/9] apache: Added proxy support to apache::sslsite. --- apache/manifests/debian.pp | 56 +++++++++++++++------------- apache/manifests/init.pp | 12 +++++- apache/manifests/redhat.pp | 56 +++++++++++++++------------- apache/templates/site.https.conf.erb | 9 ++++- 4 files changed, 78 insertions(+), 55 deletions(-) diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp index 28f100b..8313714 100644 --- a/apache/manifests/debian.pp +++ b/apache/manifests/debian.pp @@ -185,26 +185,28 @@ class apache::debian::sslserver inherits apache::debian::common { define apache::debian::sslsite($first, $hsts, $ipaddr, $root, - $ssl_cert, $ssl_key, $ssl_chain) { + $ssl_cert, $ssl_key, $ssl_chain, $proxy) { if $name == "default" { $site_fqdn = $homename } else { $site_fqdn = $name - if $root { - file { "/srv/www/https/${site_fqdn}": - ensure => link, - target => $root, - before => Service["apache2"], - } - } else { - file { "/srv/www/https/${site_fqdn}": - ensure => directory, - mode => "0755", - owner => root, - group => root, - before => Service["apache2"], + if $proxy == "" { + if $root { + file { "/srv/www/https/${site_fqdn}": + ensure => link, + target => $root, + before => Service["apache2"], + } + } else { + file { "/srv/www/https/${site_fqdn}": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + before => Service["apache2"], + } } } @@ -277,18 +279,20 @@ define apache::debian::sslsite($first, $hsts, $ipaddr, $root, File["/etc/ssl/private/${site_fqdn}.key"], ], } - file { $site_confdir: - ensure => directory, - mode => "0644", - owner => root, - group => root, - purge => true, - force => true, - recurse => true, - source => [ "puppet:///files/apache/sslsites/${site_fqdn}", - "puppet:///modules/custom/empty", ], - before => File[$site_conf], - notify => Service["apache2"], + if $proxy == "" { + file { $site_confdir: + ensure => directory, + mode => "0644", + owner => "root", + group => "root", + purge => true, + force => true, + recurse => true, + source => [ "puppet:///files/apache/sslsites/${site_fqdn}", + "puppet:///modules/custom/empty", ], + before => File[$site_conf], + notify => Service["apache2"], + } } } diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index f0d350d..384d578 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -279,6 +279,8 @@ class apache::sslserver::listen { # Path to SSL private key. Defaults to puppet client certificate. # $ssl_chain: # Path to SSL certificate chain. Defaults to none. +# $proxy: +# Proxy site to given URL. # # === Sample usage # @@ -288,8 +290,14 @@ class apache::sslserver::listen { # ssl_key => "puppet:///path/to/www.example.com.key", # } # +# apache::site { "proxy.example.com": +# ssl_cert => "puppet:///path/to/proxy.example.com.crt", +# ssl_key => "puppet:///path/to/proxy.example.com.key", +# proxy => "http://localhost:8080", +# } +# define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="", - $ssl_cert="", $ssl_key="", $ssl_chain="") { + $ssl_cert="", $ssl_key="", $ssl_chain="", $proxy="") { include apache::sslserver::listen @@ -308,6 +316,7 @@ define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="", ssl_cert => $ssl_cert, ssl_key => $ssl_key, ssl_chain => $ssl_chain, + proxy => $proxy, require => Class["apache::sslserver::listen"], } } @@ -321,6 +330,7 @@ define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="", ssl_cert => $ssl_cert, ssl_key => $ssl_key, ssl_chain => $ssl_chain, + proxy => $proxy, require => Class["apache::sslserver::listen"], } } diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp index 86eb500..e2fd7a3 100644 --- a/apache/manifests/redhat.pp +++ b/apache/manifests/redhat.pp @@ -224,26 +224,28 @@ class apache::redhat::sslserver { define apache::redhat::sslsite($first, $hsts, $ipaddr, $root, - $ssl_cert, $ssl_key, $ssl_chain) { + $ssl_cert, $ssl_key, $ssl_chain, $proxy) { if $name == "default" { $site_fqdn = $homename } else { $site_fqdn = $name - if $root { - file { "/srv/www/https/${site_fqdn}": - ensure => link, - target => $root, - before => Service["httpsd"], - } - } else { - file { "/srv/www/https/${site_fqdn}": - ensure => directory, - mode => "0755", - owner => root, - group => root, - before => Service["httpsd"], + if $proxy == "" { + if $root { + file { "/srv/www/https/${site_fqdn}": + ensure => link, + target => $root, + before => Service["httpsd"], + } + } else { + file { "/srv/www/https/${site_fqdn}": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + before => Service["httpsd"], + } } } @@ -317,18 +319,20 @@ define apache::redhat::sslsite($first, $hsts, $ipaddr, $root, File["/etc/pki/tls/private/${site_fqdn}.key"], ], } - file { $site_confdir: - ensure => directory, - mode => "0644", - owner => root, - group => root, - purge => true, - force => true, - recurse => true, - source => [ "puppet:///files/apache/sslsites/${site_fqdn}", - "puppet:///modules/apache/emptysite", ], - before => File[$site_conf], - notify => Service["httpsd"], + if $proxy == "" { + file { $site_confdir: + ensure => directory, + mode => "0644", + owner => "root", + group => "root", + purge => true, + force => true, + recurse => true, + source => [ "puppet:///files/apache/sslsites/${site_fqdn}", + "puppet:///modules/apache/emptysite", ], + before => File[$site_conf], + notify => Service["httpsd"], + } } } diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb index 4545bf6..df199b6 100644 --- a/apache/templates/site.https.conf.erb +++ b/apache/templates/site.https.conf.erb @@ -1,7 +1,6 @@ :443> # General setup for the virtual host, inherited from global configuration -DocumentRoot "/srv/www/https/<%= @site_fqdn %>" ServerName <%= @site_fqdn %>:443 # Use separate log files for the SSL virtual host; note that LogLevel @@ -156,6 +155,12 @@ BrowserMatch "MSIE [2-5]" \ <% end -%> -Include <%= @site_confdir %>/*.conf +<% if @proxy != "" -%> + ProxyPass / <%= @proxy %>/ + ProxyPassReverse / <%= @proxy %>/ +<% else -%> + DocumentRoot /srv/www/https/<%= @site_fqdn %> + Include <%= @site_confdir %>/*.conf +<% end -%>