Added virtual host support for Debian/Ubuntu to apache module

2010-11-05 16:55:05 +02:00 · 2010-11-05 16:55:05 +02:00 · 42fd785e66
commit 42fd785e66
parent 512c38ba9d
4 changed files with 230 additions and 33 deletions
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@ -10,7 +10,9 @@ class apache::debian::common {
    file { [ "/srv/www/http",
             "/srv/www/http/${fqdn}",
             "/srv/www/log/http",
-             "/srv/www/log/http/${fqdn}", ]:
+             "/srv/www/log/http/${fqdn}",
+             "/etc/apache2/conf.d",
+             "/etc/apache2/sites-enabled", ]:
        ensure  => directory,
        mode    => 0644,
        owner   => root,
@ -19,22 +21,43 @@ class apache::debian::common {
        before  => File["/etc/apache2/apache2.conf"],
    }

+    File["/etc/apache2/conf.d", "/etc/apache2/sites-enabled"] {
+        purge   => true,
+        force   => true,
+        recurse => true,
+        source  => "puppet:///custom/empty",
+    }
+
    file { "/etc/apache2/envvars":
        ensure  => present,
        content => template("apache/apache2.envvars.erb"),
        mode    => 0644,
        owner   => root,
        group   => root,
+        before  => File["/etc/apache2/apache2.conf"],
+        require => Package["httpd"],
+        notify  => Service["apache2"],
+    }
+
+    file { "/etc/apache2/httpd.conf":
+        ensure  => present,
+        content => template("apache/apache2.httpd.conf.erb"),
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        before  => File["/etc/apache2/apache2.conf"],
        require => Package["httpd"],
        notify  => Service["apache2"],
    }

    file { "/etc/apache2/ports.conf":
        ensure  => present,
-        content => "# HTTP server disabled\n"
+        content => "# HTTP server disabled\n",
        mode    => 0644,
        owner   => root,
        group   => root,
+        before  => File["/etc/apache2/apache2.conf"],
+        require => Package["httpd"],
        notify  => Service["apache2"],
    }

@ -44,7 +67,6 @@ class apache::debian::common {
        mode    => 0644,
        owner   => root,
        group   => root,
-        require => File["/etc/apache2/envvars", "/etc/apache2/ports.conf" ],
        notify  => Service["apache2"],
    }

@ -68,12 +90,12 @@ class apache::debian::server inherits apache::debian::common {

 define apache::debian::site($aliases, $root, $config, $redirect) {

-    $site_conf = "/etc/apache2/sites-available/${name}.conf"
-
    if $name == "default" {
        $site_fqdn = $fqdn
+        $site_conf = "/etc/apache2/sites-enabled/00-${site_fqdn}.conf"
    } else {
        $site_fqdn = $name
+        $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}.conf"

        if !$redirect {
            if $root {
@ -107,7 +129,7 @@ define apache::debian::site($aliases, $root, $config, $redirect) {
        mode   => 0644,
        owner  => root,
        group  => root,
-        notify => Service["httpd"],
+        notify => Service["apache2"],
    }

    if $config {
@ -149,6 +171,102 @@ class apache::debian::sslserver inherits apache::debian::common {
 }


+define apache::debian::sslsite($root, $config, $ssl_cert, $ssl_key, $ssl_chain) {
+
+    if $name == "default" {
+        $site_fqdn = $fqdn
+    } else {
+        $site_fqdn = $name
+
+        if $root {
+            file { "/srv/www/https/${site_fqdn}":
+                ensure => link,
+                target => $root,
+                before => Service["apache2"],
+            }
+        } else {
+            file { "/srv/www/https/${site_fqdn}":
+                ensure => directory,
+                mode   => 0755,
+                owner  => root,
+                group  => root,
+                before => Service["apache2"],
+            }
+        }
+
+        file { "/srv/www/log/https/${site_fqdn}":
+            ensure => directory,
+            mode   => 0755,
+            owner  => root,
+            group  => root,
+            before => Service["apache2"],
+        }
+    }
+
+    if $ssl_cert {
+        $real_ssl_cert = $ssl_cert
+    } else {
+        $real_ssl_cert = "${puppet_ssldir}/certs/${fqdn}.pem"
+    }
+
+    file { "/etc/ssl/certs/${site_fqdn}.crt":
+        ensure => present,
+        source => $real_ssl_cert,
+        mode   => 0644,
+        owner  => root,
+        group  => root,
+        notify => Service["apache2"],
+    }
+
+    if $ssl_key {
+        $real_ssl_key = $ssl_key
+    } else {
+        $real_ssl_key = "${puppet_ssldir}/private_keys/${fqdn}.pem"
+    }
+
+    file { "/etc/ssl/private/${site_fqdn}.key":
+        ensure => present,
+        source => $real_ssl_key,
+        mode   => 0600,
+        owner  => root,
+        group  => root,
+        notify => Service["apache2"],
+    }
+
+    if $ssl_chain {
+        file { "/etc/ssl/certs/${site_fqdn}.chain.crt":
+            ensure => present,
+            source => $ssl_chain,
+            mode   => 0644,
+            owner  => root,
+            group  => root,
+            notify => Service["apache2"],
+        }
+    }
+
+    file { "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf":
+        ensure  => present,
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        notify  => Service["apache2"],
+        require => [ File["/etc/ssl/certs/${site_fqdn}.crt"],
+                     File["/etc/ssl/private/${site_fqdn}.key"], ],
+    }
+
+    if $config {
+        File["/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"] {
+            source => $config,
+        }
+    } else {
+        File["/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"] {
+            content => template("apache/site.https.conf.erb"),
+        }
+    }
+
+}
+
+
 define apache::debian::configfile($source, $content, $http, $https) {

    file { "/etc/apache2/conf.d/${name}":
@ -218,26 +336,3 @@ define apache::debian::a2enmod($source="", $content="") {
    }

 }
-
-
-# Enable virtual host on Debian/Ubuntu Apache.
-#
-# === Parameters
-#
-#   $name:
-#       FQDN of virtual host.
-#
-define apache::debian::a2ensite() {
-
-    exec { "a2ensite-${name}":
-        path    => "/bin:/usr/bin:/sbin:/usr/sbin",
-        command => "a2ensite ${name}",
-        unless  => $name ? {
-            "default" => "test -h /etc/apache2/sites-enabled/000-default",
-            default   => "test -h /etc/apache2/sites-enabled/${name}",
-        },
-        notify  => Service["apache2"],
-        require => Package["httpd"],
-    }
-
-}
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@ -202,6 +202,7 @@ define apache::sslsite($root="", $config="", $ssl_cert="", $ssl_key="", $ssl_cha

    case $operatingsystem {
        debian,ubuntu: {
+            $apache_ssldir = "/etc/ssl"
            apache::debian::sslsite { "${name}":
                root      => $root,
                config    => $config,
@ -211,6 +212,7 @@ define apache::sslsite($root="", $config="", $ssl_cert="", $ssl_key="", $ssl_cha
            }
        }
        centos,fedora: {
+            $apache_ssldir = "/etc/pki/tls"
            apache::redhat::sslsite { "${name}":
                root      => $root,
                config    => $config,
--- a/apache/templates/apache2.httpd.conf.erb
+++ b/apache/templates/apache2.httpd.conf.erb
@ -0,0 +1,93 @@
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin adm@<%= domain %>
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work.  See also the UseCanonicalName directive.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address anyway, and this will make 
+# redirections work in a sensible way.
+#
+ServerName <%= fqdn %>
+
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing 
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client.  When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+ServerSignature Off
+
+#
+# Each directory to which Apache has access can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories). 
+#
+# First, we configure the "default" to be a very restrictive set of 
+# features.  
+#
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# This should be changed to whatever you set DocumentRoot to.
+#
+<Directory "/srv/www">
+
+#
+# Possible values for the Options directive are "None", "All",
+# or any combination of:
+#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+#
+# Note that "MultiViews" must be named *explicitly* --- "Options All"
+# doesn't give it to you.
+#
+# The Options directive is both complicated and important.  Please see
+# http://httpd.apache.org/docs/2.2/mod/core.html#options
+# for more information.
+#
+    Options Indexes FollowSymLinks
+
+#
+# AllowOverride controls what directives may be placed in .htaccess files.
+# It can be "All", "None", or any combination of the keywords:
+#   Options FileInfo AuthConfig Limit
+#
+    AllowOverride None
+
+#
+# Controls who can get stuff from this server.
+#
+    Order allow,deny
+    Allow from all
+
+</Directory>
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@ -9,7 +9,12 @@
 # consult the online docs. You have been warned.  
 #

+#
+# Load SSL module if not loaded
+#
+<IfModule !mod_ssl.c>
 LoadModule ssl_module modules/mod_ssl.so
+</IfModule>

 #
 # When we also provide SSL we have to listen to the 
@ -17,6 +22,7 @@ LoadModule ssl_module modules/mod_ssl.so
 #
 Listen 443

+<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
 ##
 ##  SSL Global Context
 ##
@ -73,6 +79,7 @@ SSLRandomSeed connect builtin
 #
 SSLCryptoDevice builtin
 #SSLCryptoDevice ubsec
+<% end -%>

 ##
 ## SSL Virtual Host Context
@ -109,14 +116,14 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 # the certificate is encrypted, then you will be prompted for a
 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 # certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/certs/<%= site_fqdn %>.crt
+SSLCertificateFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.crt

 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/private/<%= site_fqdn %>.key
+SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key

 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@ -126,7 +133,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<%= site_fqdn %>.key
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
 <% if ssl_chain != "" -%>
-SSLCertificateChainFile /etc/pki/tls/certs/<%= site_fqdn %>.chain.crt
+SSLCertificateChainFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
 <% end -%>

 #   Certificate Authority (CA):