3rdparty/modules/apache/manifests/mod/security.pp

   1 class apache::mod::security (
   2   $crs_package           = $::apache::params::modsec_crs_package,
   3   $activated_rules       = $::apache::params::modsec_default_rules,
   4   $modsec_dir            = $::apache::params::modsec_dir,
   5   $allowed_methods       = 'GET HEAD POST OPTIONS',
   6   $content_types         = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
   7   $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
   8   $restricted_headers    = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
   9 ){
  10
  11   if $::osfamily == 'FreeBSD' {
  12     fail('FreeBSD is not currently supported')
  13   }
  14
  15   ::apache::mod { 'security':
  16     id  => 'security2_module',
  17     lib => 'mod_security2.so',
  18   }
  19
  20   ::apache::mod { 'unique_id_module':
  21     id  => 'unique_id_module',
  22     lib => 'mod_unique_id.so',
  23   }
  24
  25   if $crs_package  {
  26     package { $crs_package:
  27       ensure => 'latest',
  28       before => File['security.conf'],
  29     }
  30   }
  31
  32   # Template uses:
  33   # - $modsec_dir
  34   file { 'security.conf':
  35     ensure  => file,
  36     content => template('apache/mod/security.conf.erb'),
  37     path    => "${::apache::mod_dir}/security.conf",
  38     owner   => $::apache::params::user,
  39     group   => $::apache::params::group,
  40     require => Exec["mkdir ${::apache::mod_dir}"],
  41     before  => File[$::apache::mod_dir],
  42     notify  => Class['apache::service'],
  43   }
  44
  45   file { $modsec_dir:
  46     ensure  => directory,
  47     owner   => $::apache::params::user,
  48     group   => $::apache::params::group,
  49     mode    => '0555',
  50     purge   => true,
  51     force   => true,
  52     recurse => true,
  53   }
  54
  55   file { "${modsec_dir}/activated_rules":
  56     ensure  => directory,
  57     owner   => $::apache::params::user,
  58     group   => $::apache::params::group,
  59     mode    => '0555',
  60     purge   => true,
  61     force   => true,
  62     recurse => true,
  63     notify  => Class['apache::service'],
  64   }
  65
  66   file { "${modsec_dir}/security_crs.conf":
  67     ensure  => file,
  68     content => template('apache/mod/security_crs.conf.erb'),
  69     require => File[$modsec_dir],
  70     notify  => Class['apache::service'],
  71   }
  72
  73   apache::security::rule_link { $activated_rules: }
  74
  75 }