Commit f5a414d1 authored by André Kerkhoff's avatar André Kerkhoff
Browse files

Use apache2 cookbook >= 6.0

parent b81b6e88
......@@ -4,6 +4,8 @@ DEPENDENCIES
metadata: true
GRAPH
apache2 (5.2.1)
foswiki (2.9.0)
apache2 (< 6.0)
apache2 (8.14.2)
yum-epel (>= 0.0.0)
foswiki (3.0.0)
apache2 (>= 6.0)
yum-epel (4.4.1)
......@@ -3,7 +3,7 @@ maintainer 'GSI Linux & Web Team'
maintainer_email 'cit-lw@gsi.de'
license 'Apache-2.0'
description 'Installs/Configures Foswiki'
version '2.12.0'
depends 'apache2', '< 6.0'
version '3.0.0'
depends 'apache2', '>= 6.0'
supports 'debian'
supports 'ubuntu'
......@@ -17,7 +17,12 @@
# limitations under the License.
#
include_recipe 'apache2'
# Initialize data from apache2 cookbook
Chef::DSL::Recipe.include Apache2::Cookbook::Helpers
Chef::Resource.include Apache2::Cookbook::Helpers
apache_user = default_apache_user
apache_group = default_apache_group
service 'apache2'
# Some plugins hint to what Apache should do
if find_resource(:foswiki_plugin, 'XSendFileContrib')
......@@ -35,15 +40,15 @@ apache_conf['unprotected_attachments'] = [
] if apache_conf['unprotected_attachments'].eql? :default
# Configure mod_expires
include_recipe 'apache2::mod_expires' if apache_conf['pub_expires_time']
apache2_module 'expires' if apache_conf['pub_expires_time']
# Configure mod_fcgid
if apache_conf['use_fcgi']
include_recipe 'apache2::mod_fcgid'
apache2_mod_fcgid 'fcgid'
edit_resource(:foswiki_plugin, 'FastCGIEngineContrib') do
foswiki_version node['foswiki']['version']
user node['apache']['user']
group node['apache']['group']
user apache_user
group apache_group
action :install
end
foswiki_configure '{Htpasswd}{GlobalCache}'
......@@ -51,11 +56,11 @@ end
# Configure mod_xsendfile
if apache_conf['use_xsendfile']
include_recipe 'apache2::mod_xsendfile'
apache2_module 'xsendfile'
edit_resource(:foswiki_plugin, 'XSendFileContrib') do
foswiki_version node['foswiki']['version']
user node['apache']['user']
group node['apache']['group']
user apache_user
group apache_group
action :install
end
foswiki_configure '{XSendFileContrib}{Header}' do
......@@ -64,9 +69,9 @@ if apache_conf['use_xsendfile']
end
# Configure mod_ssl
include_recipe 'apache2::mod_ssl' if apache_conf['use_tls']
apache2_mod_ssl 'ssl' if apache_conf['use_tls']
# Collect data for web_app
# Collect data for Apache site
dirs = {}
%w(data install locales pub script template tools).each do |dir|
dirs[dir] = foswiki_dir(dir)
......@@ -78,39 +83,47 @@ pub_url_path = node['foswiki']['config']['PubUrlPath']
script_url_path = node['foswiki']['config']['ScriptUrlPath']
script_url_path_view = node['foswiki']['config']['ScriptUrlPaths']['view']
web_app apache_conf['server_name'] do
access_control apache_conf['access_control']
blocked_agents apache_conf['blocked_agents']
blocked_ips apache_conf['blocked_ips']
cert_name apache_conf['cert_name']
cert_chain_file apache_conf['cert_chain_file']
cert_file apache_conf['cert_file']
cert_key_file apache_conf['cert_key_file']
custom_log apache_conf['custom_log']
data_dir dirs['data']
favicon favicon_path
fcgid_max_request_len apache_conf['fcgid_max_request_len']
http_port apache_conf['http_port']
https_port apache_conf['https_port']
install_dir dirs['install']
locales_dir dirs['locales']
log_level apache_conf['log_level']
protect_attachments apache_conf['protect_attachments']
pub_dir dirs['pub']
pub_expires_match apache_conf['pub_expires_match']
pub_expires_time apache_conf['pub_expires_time']
pub_url_path pub_url_path
script_dir dirs['script']
script_url_path script_url_path
script_url_path_view script_url_path_view
server_admin apache_conf['server_admin']
server_alias apache_conf['server_alias']
server_name apache_conf['server_name']
template_dir dirs['template']
tools_dir dirs['tools']
unprotected_attachments apache_conf['unprotected_attachments']
use_fcgi apache_conf['use_fcgi']
use_short_urls apache_conf['use_short_urls']
use_tls apache_conf['use_tls']
use_xsendfile apache_conf['use_xsendfile']
template "#{apache_conf['server_name']}.conf" do
source 'apache2_site.conf.erb'
path "#{apache_dir}/sites-available/#{apache_conf['server_name']}.conf"
variables(
access_control: apache_conf['access_control'],
blocked_agents: apache_conf['blocked_agents'],
blocked_ips: apache_conf['blocked_ips'],
cert_name: apache_conf['cert_name'],
cert_chain_file: apache_conf['cert_chain_file'],
cert_file: apache_conf['cert_file'],
cert_key_file: apache_conf['cert_key_file'],
custom_log: apache_conf['custom_log'],
data_dir: dirs['data'],
favicon: favicon_path,
fcgid_max_request_len: apache_conf['fcgid_max_request_len'],
http_port: apache_conf['http_port'],
https_port: apache_conf['https_port'],
install_dir: dirs['install'],
locales_dir: dirs['locales'],
log_level: apache_conf['log_level'],
protect_attachments: apache_conf['protect_attachments'],
pub_dir: dirs['pub'],
pub_expires_match: apache_conf['pub_expires_match'],
pub_expires_time: apache_conf['pub_expires_time'],
pub_url_path: pub_url_path,
script_dir: dirs['script'],
script_url_path: script_url_path,
script_url_path_view: script_url_path_view,
server_admin: apache_conf['server_admin'],
server_alias: apache_conf['server_alias'],
server_name: apache_conf['server_name'],
template_dir: dirs['template'],
tools_dir: dirs['tools'],
unprotected_attachments: apache_conf['unprotected_attachments'],
use_fcgi: apache_conf['use_fcgi'],
use_short_urls: apache_conf['use_short_urls'],
use_tls: apache_conf['use_tls'],
use_xsendfile: apache_conf['use_xsendfile']
)
end
apache2_site apache_conf['server_name'] do
action :enable
end
......@@ -17,6 +17,11 @@
# limitations under the License.
#
# Initialize data from apache2 cookbook
Chef::DSL::Recipe.include Apache2::Cookbook::Helpers
apache_user = default_apache_user
apache_group = default_apache_group
Chef::DSL::Recipe.include Foswiki::Dependencies
# Install needed packages
......@@ -91,8 +96,8 @@ htpasswd_file ||= foswiki_resolve(foswiki_get('{Htpasswd}{FileName}'))
htpasswd_file ||= "#{foswiki_dir('data')}/.htpasswd"
execute "htpasswd -b -c '#{htpasswd_file}' admin secret" do
creates htpasswd_file
user node['apache']['user']
group node['apache']['group']
user apache_user
group apache_group
ignore_failure true # Apache is not installed
end
......@@ -141,8 +146,8 @@ end
base = "#{foswiki_dir('data')}/#{topic.tr('.', '/')}"
file "#{base}.txt" do
content tcontent
user node['apache']['user']
group node['apache']['group']
user apache_user
group apache_group
end
begin
time = tcontent.split("\n")[0].split.grep(/^date=/)[0].split('"')[1]
......@@ -162,16 +167,16 @@ end
(node['foswiki']['plugins'] || []).each do |plugin|
foswiki_plugin plugin do
foswiki_version node['foswiki']['version']
user node['apache']['user']
group node['apache']['group']
user apache_user
group apache_group
end
end
# Create extensions web
unless node['foswiki']['extensions_web'].nil?
foswiki_extensions_web node['foswiki']['extensions_web'] do
user node['apache']['user']
group node['apache']['group']
user apache_user
group apache_group
end
end
......@@ -179,8 +184,8 @@ end
foswiki_patches 'default' do
holidaylistplugin node['foswiki']['patches']['holidaylistplugin']
noproxy node['foswiki']['patches']['noproxy']
owner node['apache']['user']
group node['apache']['group']
owner apache_user
group apache_group
end
# Manage Cron job
......@@ -202,7 +207,7 @@ template '/etc/cron.d/foswiki' do
end,
tools_dir: foswiki_dir('tools'),
trash_cleanup_time: node['foswiki']['cron']['trash_cleanup_time'],
user: node['apache']['user']
user: apache_user
)
end
......
......@@ -38,6 +38,8 @@ end
action_class do
def patch_file(filename, asource)
service 'apache2'
cookbook_file "#{foswiki_dir('install')}/lib/#{filename}" do
source asource
owner new_resource.owner
......
<% if @params[:use_tls] -%>
<% if @params[:http_port] -%>
<VirtualHost *:<%= @params[:http_port] %>>
ServerName <%= @params[:server_name] %>
Redirect permanent / https://<%= @params[:server_name] %>/
<% if @use_tls -%>
<% if @http_port -%>
<VirtualHost *:<%= @http_port %>>
ServerName <%= @server_name %>
Redirect permanent / https://<%= @server_name %>/
</VirtualHost>
<% end -%>
<VirtualHost *:<%= @params[:https_port] %>>
<VirtualHost *:<%= @https_port %>>
<% else -%>
<VirtualHost *:<%= @params[:http_port] %>>
<VirtualHost *:<%= @http_port %>>
<% end -%>
ServerAdmin <%= @params[:server_admin] %>
DocumentRoot "<%= @params[:install_dir] %>"
ServerName <%= @params[:server_name] %>
<% if @params[:server_alias].is_a?(String) && !@params[:server_alias].empty? -%>
ServerAlias <%= @params[:server_alias] %>
<% elsif @params[:server_alias].is_a?(Array) && !@params[:server_alias].empty? -%>
ServerAlias <%= @params[:server_alias].join(' ') %>
ServerAdmin <%= @server_admin %>
DocumentRoot "<%= @install_dir %>"
ServerName <%= @server_name %>
<% if @server_alias.is_a?(String) && !@server_alias.empty? -%>
ServerAlias <%= @server_alias %>
<% elsif @server_alias.is_a?(Array) && !@server_alias.empty? -%>
ServerAlias <%= @server_alias.join(' ') %>
<% end -%>
LimitRequestLine 131072
LogLevel <%= @params[:log_level] || 'info' %>
ErrorLog ${APACHE_LOG_DIR}/<%= @params[:server_name] %>-error.log
CustomLog ${APACHE_LOG_DIR}/<%= @params[:server_name] %>-access.log <%= @params[:custom_log] || 'combined' %>
LogLevel <%= @log_level || 'info' %>
ErrorLog ${APACHE_LOG_DIR}/<%= @server_name %>-error.log
CustomLog ${APACHE_LOG_DIR}/<%= @server_name %>-access.log <%= @custom_log || 'combined' %>
<% if @params[:use_tls] -%>
<% if @use_tls -%>
SSLEngine On
SSLCertificateFile <%= @params[:cert_file] %>
<% if @params[:cert_key_file] -%>
SSLCertificateKeyFile <%= @params[:cert_key_file] %>
SSLCertificateFile <%= @cert_file %>
<% if @cert_key_file -%>
SSLCertificateKeyFile <%= @cert_key_file %>
<% end -%>
<% if @params[:cert_chain_file] -%>
SSLCertificateChainFile <%= @params[:cert_chain_file] %>
<% if @cert_chain_file -%>
SSLCertificateChainFile <%= @cert_chain_file %>
<% end -%>
<% end -%>
......@@ -43,47 +43,47 @@
# http://my.co.uk/foswiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /bin "<%= @params[:script_dir] %><%= '/foswiki.fcgi' if @params[:use_fcgi] %>"
ScriptAlias /bin "<%= @script_dir %><%= '/foswiki.fcgi' if @use_fcgi %>"
# The following Alias is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
# If short URLs are enabled, and any other local directories or files need to be accessed directly, they
# must also be specified in an Alias statement, and must not conflict with a web name.
#Alias <%= @params[:pub_url_path] %> "<%= @params[:pub_dir] %>"
<% if @params[:favicon] -%>
Alias /favicon.ico "<%= @params[:favicon] %>"
#Alias <%= @pub_url_path %> "<%= @pub_dir %>"
<% if @favicon -%>
Alias /favicon.ico "<%= @favicon %>"
<% end -%>
Alias /robots.txt "<%= @params[:install_dir] %>/robots.txt"
Alias /robots.txt "<%= @install_dir %>/robots.txt"
# Add aliases for any other files that must be read at the root level. eg.
# Alias /google[somehashkey].html "<%= @params[:install_dir] %>/google[somehashkey].html"
# Alias /google[somehashkey].html "<%= @install_dir %>/google[somehashkey].html"
<% if @params[:use_short_urls] || @params[:protect_attachments] -%>
<% if @use_short_urls || @protect_attachments -%>
# Rewriting is required for Short URLs, and Attachment redirecting to viewfile
RewriteEngine on
<% if @params[:use_short_urls] -%>
Redirect permanent /cgi-bin https://<%= @params[:server_name] %>/bin
Redirect permanent /foswiki/bin https://<%= @params[:server_name] %>/bin
Redirect permanent /foswiki/cgi-bin https://<%= @params[:server_name] %>/bin
Redirect permanent /foswiki/pub https://<%= @params[:server_name] %>/pub
<% if @use_short_urls -%>
Redirect permanent /cgi-bin https://<%= @server_name %>/bin
Redirect permanent /foswiki/bin https://<%= @server_name %>/bin
Redirect permanent /foswiki/cgi-bin https://<%= @server_name %>/bin
Redirect permanent /foswiki/pub https://<%= @server_name %>/pub
# Shortest URLs block access to the Apache standard error documents. The following alias will
# restore access to these error messages. The actual location may vary by OS distribution.
# This may need to be tailored depending upon location of the Apache error documents. Below
# are examples for Linux, and FreeBSD
Alias /error/ "/usr/share/apache2/error/"
Alias /pub/ "<%= @params[:pub_dir] %>/"
Alias /pub/ "<%= @pub_dir %>/"
# short urls
Alias / "<%= @params[:script_dir] %>/<%= @params[:use_fcgi] ? 'foswiki.fcgi' : 'view' %>/"
RewriteRule ^<%= @params[:script_url_path].gsub('/', '/+') %>/+view/+(.*) /<%= @params[:script_url_path_view] %>$1 [L,NE,R]
RewriteRule ^<%= @params[:script_url_path].gsub('/', '/+') %>/+view$ /<%= @params[:script_url_path_view] %> [L,NE,R]
Alias / "<%= @script_dir %>/<%= @use_fcgi ? 'foswiki.fcgi' : 'view' %>/"
RewriteRule ^<%= @script_url_path.gsub('/', '/+') %>/+view/+(.*) /<%= @script_url_path_view %>$1 [L,NE,R]
RewriteRule ^<%= @script_url_path.gsub('/', '/+') %>/+view$ /<%= @script_url_path_view %> [L,NE,R]
#
# Dont rewrite any other /bin URLs
#
RewriteRule ^<%= @params[:script_dir] %>/(.*)$ - [L,PT] # bin, stop rewriting
RewriteRule ^<%= @script_dir %>/(.*)$ - [L,PT] # bin, stop rewriting
#
# Dont rewrite internal requests or robots.txt
......@@ -93,20 +93,20 @@
RewriteRule .* - [L]
<% end -%>
<% if @params[:protect_attachments] -%>
<% if @protect_attachments -%>
#
# Protect attachments by rewriting to the "viewfile" script
#
<% unless (@params[:unprotected_attachments] || []).empty? -%>
<% unless (@unprotected_attachments || []).empty? -%>
# Permit some safe exceptions to avoid viewfile overhead
<% @params[:unprotected_attachments][0..-2].each do |attach| -%>
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/<%= attach %> [NC,OR]
<% @unprotected_attachments[0..-2].each do |attach| -%>
RewriteCond %{REQUEST_URI} ^<%= @pub_url_path %>/<%= attach %> [NC,OR]
<% end -%>
<% if @params[:unprotected_attachments].length > 1 -%>
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/<%= @params[:unprotected_attachments][-1] %> [NC]
<% if @unprotected_attachments.length > 1 -%>
RewriteCond %{REQUEST_URI} ^<%= @pub_url_path %>/<%= @unprotected_attachments[-1] %> [NC]
<% end -%>
RewriteRule ^<%= @params[:pub_url_path] %>/.* - [L,PT]
RewriteRule ^<%= @pub_url_path %>/.* - [L,PT]
<% end -%>
# Optional - do not rewrite /pub/images if ImageGalleryPlugin is installed - path is incompatible with viewfile
......@@ -114,28 +114,28 @@
# If it makes it here, rewrite as viewfile
<% viewfile = 'viewfile' -%>
<% if @params[:use_xsendfile] -%>
<% if @use_xsendfile -%>
<% viewfile = 'xsendfile' -%>
XSendFile on
XSendFilePath "<%= @params[:pub_dir] %>"
XSendFilePath "<%= @pub_dir %>"
<% end -%>
RewriteRule ^<%= @params[:pub_url_path].gsub('/', '/+') %>/+(.*)$ <%= @params[:script_url_path] %>/<%= viewfile %>/$1 [L,PT]
RewriteRule ^<%= @pub_url_path.gsub('/', '/+') %>/+(.*)$ <%= @script_url_path %>/<%= viewfile %>/$1 [L,PT]
<% end -%>
<% end -%>
# This enables access to the documents in the Foswiki root directory
<Directory "<%= @params[:install_dir] %>">
<Directory "<%= @install_dir %>">
<RequireAll>
Require all granted
Require not env blockAccess
</RequireAll>
</Directory>
<% if @params[:use_fcgi] -%>
<% if @use_fcgi -%>
<IfModule mod_fcgid.c>
DefaultMaxClassProcessCount 3
# Request length must be larger than largest ATTACHFILESIZELIMIT x 1024
FcgidMaxRequestLen <%= @params[:fcgid_max_request_len] %>
FcgidMaxRequestLen <%= @fcgid_max_request_len %>
# Limit requests to control memory growth.
FcgidMaxRequestsPerProcess 400
......@@ -153,7 +153,7 @@
# lets any IP address access this URL.
# Note: If you use SELinux, you also have to "Allow httpd cgi support" in your SELinux policies
<Directory "<%= @params[:script_dir] %>">
<Directory "<%= @script_dir %>">
AllowOverride None
<RequireAll>
......@@ -163,19 +163,19 @@
Options +ExecCGI +FollowSymLinks
SetHandler cgi-script
<% if @params[:use_fcgi] -%>
<% if @use_fcgi -%>
<Files "foswiki.fcgi">
SetHandler fcgid-script
</Files>
<% end -%>
# Password file for Foswiki users
#AuthUserFile "<%= @params[:data_dir] %>/.htpasswd"
#AuthUserFile "<%= @data_dir %>/.htpasswd"
#AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
#AuthType Basic
# File to return on access control error (e.g. wrong password)
ErrorDocument 401 <%= @params[:access_control] || '/System/ResetPassword' %>
ErrorDocument 401 <%= @access_control || '/System/ResetPassword' %>
</Directory>
# This sets the options on the pub directory, which contains attachments and
......@@ -185,7 +185,7 @@
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "<%= @params[:pub_dir] %>">
<Directory "<%= @pub_dir %>">
Options None
Options +FollowSymLinks
AllowOverride None
......@@ -213,13 +213,13 @@
# This line will redefine the mime type for the most common types of scripts
AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
<% if @params[:pub_expires_time] -%>
<% if @pub_expires_time -%>
# add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
<ifmodule mod_expires.c>
<filesmatch "<%= @params[:pub_expires_match] %>">
<filesmatch "<%= @pub_expires_match %>">
ExpiresActive on
ExpiresDefault "<%= @params[:pub_expires_time] %>"
ExpiresDefault "<%= @pub_expires_time %>"
</filesmatch>
</ifmodule>
......@@ -248,27 +248,27 @@
# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "<%= @params[:data_dir] || "#{@params[:install_dir]}/data" %>">
<Directory "<%= @data_dir || "#{@install_dir}/data" %>">
Require all denied
</Directory>
<Directory "<%= @params[:template_dir] || "#{@params[:install_dir]}/templates" %>">
<Directory "<%= @template_dir || "#{@install_dir}/templates" %>">
Require all denied
</Directory>
<Directory "<%= @params[:install_dir] %>/lib">
<Directory "<%= @install_dir %>/lib">
Require all denied
</Directory>
<Directory "<%= @params[:locales_dir] || "#{@params[:install_dir]}/locale" %>">
<Directory "<%= @locales_dir || "#{@install_dir}/locale" %>">
Require all denied
</Directory>
<Directory "<%= @params[:tools_dir] || "#{@params[:install_dir]}/tools" %>">
<Directory "<%= @tools_dir || "#{@install_dir}/tools" %>">
Require all denied
</Directory>
<Directory "<%= @params[:working_dir] || "#{@params[:install_dir]}/working" %>">
<Directory "<%= @working_dir || "#{@install_dir}/working" %>">
Require all denied
</Directory>
......@@ -279,10 +279,10 @@
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
<% (@params[:blocked_agents] || []).each do |agent| -%>
<% (@blocked_agents || []).each do |agent| -%>
BrowserMatchNoCase "<%= agent %>" blockAccess
<% end -%>
<% (@params[:blocked_ips] || []).each do |ip| -%>
<% (@blocked_ips || []).each do |ip| -%>
SetEnvIf Remote_Addr "^<%= ip %>$" blockAccess
<% end -%>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment