From 9238b1df481938b60dba7955887ed505d2b00ce3 Mon Sep 17 00:00:00 2001
From: Stephen Gran <steve@lobefin.net>
Date: Sat, 20 Feb 2010 12:39:14 +0000
Subject: [PATCH] try managing suhosin with puppet

Signed-off-by: Stephen Gran <steve@lobefin.net>
---
 .../files/common/etc/php5/conf.d/suhosin.ini  | 94 +++++++++++++++++++
 modules/apache2/manifests/init.pp             | 10 ++
 2 files changed, 104 insertions(+)
 create mode 100644 modules/apache2/files/common/etc/php5/conf.d/suhosin.ini

diff --git a/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini b/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini
new file mode 100644
index 00000000..46376f70
--- /dev/null
+++ b/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini
@@ -0,0 +1,94 @@
+; configuration for php suhosin module
+extension=suhosin.so
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+; the following values are the internal default settings and set implicit
+; feel free to modify to your needs
+
+[suhosin]
+; Logging Configuration
+;suhosin.log.syslog.facility = 9
+;suhosin.log.syslog.priority = 1
+;suhosin.log.script = 0
+;suhosin.log.phpscript = 0
+;suhosin.log.script.name =
+;suhosin.log.phpscript.name =
+;suhosin.log.use-x-forwarded-for = off
+
+; Executor Options
+;suhosin.executor.max_depth = 0
+;suhosin.executor.include.max_traversal = 0
+;suhosin.executor.include.whitelist =
+;suhosin.executor.include.blacklist =
+;suhosin.executor.func.whitelist =
+;suhosin.executor.func.blacklist =
+;suhosin.executor.eval.whitelist =
+;suhosin.executor.eval.blacklist =
+;suhosin.executor.disable_emodifier = off
+;suhosin.executor.allow_symlink = off
+
+; Misc Options
+;suhosin.simulation = off
+;suhosin.apc_bug_workaround = off
+;suhosin.sql.bailout_on_error = off
+;suhosin.sql.user_prefix =
+;suhosin.sql.user_postfix =
+;suhosin.multiheader = off
+;suhosin.mail.protect = 0
+;suhosin.memory_limit = 0
+
+; Transparent Encryption Options
+;suhosin.session.encrypt = on
+;suhosin.session.cryptkey =
+;suhosin.session.cryptua = on
+;suhosin.session.cryptdocroot = on
+;suhosin.session.cryptraddr = 0
+;suhosin.session.checkraddr = 0
+;suhosin.cookie.encrypt = on
+;suhosin.cookie.cryptkey =
+;suhosin.cookie.cryptua = on
+;suhosin.cookie.cryptdocroot = on
+;suhosin.cookie.cryptraddr = 0
+;suhosin.cookie.checkraddr = 0
+;suhosin.cookie.cryptlist =
+;suhosin.cookie.plainlist =
+
+; Filtering Options
+;suhosin.filter.action =
+;suhosin.cookie.max_array_depth = 100
+;suhosin.cookie.max_array_index_length = 64
+;suhosin.cookie.max_name_length = 64
+;suhosin.cookie.max_totalname_length = 256
+;suhosin.cookie.max_value_length = 10000
+;suhosin.cookie.max_vars = 100
+;suhosin.cookie.disallow_nul = on
+;suhosin.get.max_array_depth = 50
+;suhosin.get.max_array_index_length = 64
+;suhosin.get.max_name_length = 64
+;suhosin.get.max_totalname_length = 256
+suhosin.get.max_value_length = 4096
+;suhosin.get.max_vars = 100
+;suhosin.get.disallow_nul = on
+;suhosin.post.max_array_depth = 100
+;suhosin.post.max_array_index_length = 64
+;suhosin.post.max_name_length = 64
+;suhosin.post.max_totalname_length = 256
+;suhosin.post.max_value_length = 65000
+;suhosin.post.max_vars = 200
+;suhosin.post.disallow_nul = on
+;suhosin.request.max_array_depth = 100
+;suhosin.request.max_array_index_length = 64
+;suhosin.request.max_totalname_length = 256
+;suhosin.request.max_value_length = 65000
+;suhosin.request.max_vars = 200
+;suhosin.request.max_varname_length = 64
+;suhosin.request.disallow_nul = on
+;suhosin.upload.max_uploads = 25
+;suhosin.upload.disallow_elf = on
+;suhosin.upload.disallow_binary = off
+;suhosin.upload.remove_binary = off
+;suhosin.upload.verification_script =
+;suhosin.session.max_id_length = 128
+
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index dc8c66c8..9c5481cc 100644
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -58,6 +58,16 @@ class apache2 {
                 "000-default": ensure => absent;
         }
 
+        case $php5suhosin {
+                "true": { file { "/etc/php5/conf.d/suhosin.ini":
+					source  => [ "puppet:///apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
+					             "puppet:///apache2/common/etc/php5/conf.d/suhosin.ini" ],
+					require => Package["apache2", "php5-suhosin"],
+                                        notify  => Exec["force-reload-apache2"];
+                               }
+                 }
+        }
+
 	file {
 		"/etc/apache2/conf.d/ressource-limits":
 			content => template("apache2/ressource-limits.erb"),
-- 
2.39.2