modules/apache2/manifests/init.pp

   1 class apache2 {
   2     activate_munin_check {
   3         "apache_accesses":;
   4         "apache_processes":;
   5         "apache_volume":;
   6         "apache_servers":;
   7         "ps_apache2": script => "ps_";
   8     }
   9
  10     package {
  11         "apache2": ensure => installed;
  12         "logrotate": ensure => installed;
  13     }
  14
  15     case $php5 {
  16         "true": {
  17             package {
  18                 "php5-suhosin": ensure => installed;
  19             }
  20
  21             file { "/etc/php5/conf.d/suhosin.ini":
  22                 source  => [ "puppet:///apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
  23                              "puppet:///apache2/common/etc/php5/conf.d/suhosin.ini" ],
  24                 require => Package["apache2", "php5-suhosin"],
  25                 notify  => Exec["force-reload-apache2"];
  26             }
  27         }
  28     }
  29
  30     define activate_apache_site($ensure=present, $site=$name) {
  31         case $site {
  32             "": { $base = $name }
  33             default: { $base = $site }
  34         }
  35
  36         case $ensure {
  37             present: {
  38                     file { "/etc/apache2/sites-enabled/$name":
  39                              ensure => "/etc/apache2/sites-available/$base",
  40                              require => Package["apache2"],
  41                              notify => Exec["reload-apache2"];
  42                     }
  43             }
  44             absent: {
  45                     file { "/etc/apache2/sites-enabled/$name":
  46                              ensure => $ensure,
  47                              notify => Exec["reload-apache2"];
  48                     }
  49             }
  50             default: { err ( "Unknown ensure value: '$ensure'" ) }
  51         }
  52     }
  53
  54     define enable_module($ensure=present) {
  55         case $ensure {
  56             present: {
  57                 exec {
  58                       "/usr/sbin/a2enmod $name":
  59                         unless => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'",
  60                         notify => Exec["force-reload-apache2"],
  61                 }
  62             }
  63             absent: {
  64                 exec {
  65                       "/usr/sbin/a2dismod $name":
  66                         onlyif => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'",
  67                         notify => Exec["force-reload-apache2"],
  68                 }
  69             }
  70             default: { err ( "Unknown ensure value: '$ensure'" ) }
  71         }
  72     }
  73
  74     enable_module {
  75         "info":;
  76         "status":;
  77     }
  78
  79     activate_apache_site {
  80         "00-default": site => "default-debian.org";
  81         "000-default": ensure => absent;
  82     }
  83
  84     file {
  85         "/etc/apache2/conf.d/ressource-limits":
  86             content => template("apache2/ressource-limits.erb"),
  87             require => Package["apache2"],
  88                         notify  => Exec["reload-apache2"];
  89         "/etc/apache2/conf.d/security":
  90             source  => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/conf.d/security",
  91                          "puppet:///apache2/common/etc/apache2/conf.d/security" ],
  92             require => Package["apache2"],
  93             notify  => Exec["reload-apache2"];
  94         "/etc/apache2/conf.d/local-serverinfo":
  95             source  => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo",
  96                          "puppet:///apache2/common/etc/apache2/conf.d/local-serverinfo" ],
  97             require => Package["apache2"],
  98             notify  => Exec["reload-apache2"];
  99         "/etc/apache2/conf.d/server-status":
 100             source  => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/conf.d/server-status",
 101                          "puppet:///apache2/common/etc/apache2/conf.d/server-status" ],
 102             require => Package["apache2"],
 103             notify  => Exec["reload-apache2"];
 104
 105         "/etc/apache2/sites-available/default-debian.org":
 106             content => template("apache2/default-debian.org.erb"),
 107             require => Package["apache2"],
 108             notify  => Exec["reload-apache2"];
 109
 110         "/etc/logrotate.d/apache2":
 111             source  => [ "puppet:///apache2/per-host/$fqdn/etc/logrotate.d/apache2",
 112                          "puppet:///apache2/common/etc/logrotate.d/apache2" ];
 113
 114         "/srv/www":
 115             mode    => 755,
 116             ensure  => directory;
 117         "/srv/www/default.debian.org":
 118             mode    => 755,
 119             ensure  => directory;
 120         "/srv/www/default.debian.org/htdocs":
 121             mode    => 755,
 122             ensure  => directory;
 123         "/srv/www/default.debian.org/htdocs/index.html":
 124             content => template("apache2/default-index.html");
 125
 126         # sometimes this is a symlink
 127         #"/var/log/apache2":
 128         #    mode    => 755,
 129         #    ensure  => directory;
 130     }
 131
 132     exec {
 133         "reload-apache2":
 134             command => "/etc/init.d/apache2 reload",
 135             refreshonly => true;
 136         "force-reload-apache2":
 137             command => "/etc/init.d/apache2 force-reload",
 138             refreshonly => true;
 139     }
 140
 141     @ferm::rule { "dsa-http-limit":
 142         prio            => "20",
 143         description     => "limit HTTP DOS",
 144         rule            => "chain 'http_limit' { mod limit limit-burst 60 limit 15/minute jump ACCEPT; jump DROP; }"
 145     }
 146     @ferm::rule { "dsa-http-soso":
 147         prio            => "21",
 148         description     => "slow yahoo spider",
 149         rule            => "chain 'limit_sosospider' { mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; jump http_limit; }"
 150     }
 151     @ferm::rule { "dsa-http-yahoo":
 152         prio            => "21",
 153         description     => "slow yahoo spider",
 154         rule            => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
 155     }
 156     @ferm::rule { "dsa-http-rules":
 157         prio            => "22",
 158         description     => "http subchain",
 159         rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
 160     }
 161     @ferm::rule { "dsa-http":
 162         prio            => "23",
 163         description     => "Allow web access",
 164         rule            => "proto tcp dport http jump http;"
 165     }
 166     @ferm::rule { "dsa-http-v6":
 167         domain          => "(ip6)",
 168         prio            => "23",
 169         description     => "Allow web access",
 170         rule            => "&SERVICE(tcp, 80)"
 171     }
 172 }
 173 # vim:set et:
 174 # vim:set sts=4 ts=4:
 175 # vim:set shiftwidth=4: