corpus_parole: dev/provisioning/modules/apache/manifests/mod/security.pp@b0b56e0f8c7f (annotated)

28 b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	1	class apache::mod::security (
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	2	$crs_package = $::apache::params::modsec_crs_package,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	3	$activated_rules = $::apache::params::modsec_default_rules,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	4	$modsec_dir = $::apache::params::modsec_dir,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	5	$modsec_secruleengine = $::apache::params::modsec_secruleengine,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	6	$allowed_methods = 'GET HEAD POST OPTIONS',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	7	$content_types = 'application/x-www-form-urlencoded\|multipart/form-data\|text/xml\|application/xml\|application/x-amf',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	8	$restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	9	$restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	10	){
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	11
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	12	if $::osfamily == 'FreeBSD' {
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	13	fail('FreeBSD is not currently supported')
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	14	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	15
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	16	::apache::mod { 'security':
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	17	id => 'security2_module',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	18	lib => 'mod_security2.so',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	19	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	20
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	21	::apache::mod { 'unique_id_module':
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	22	id => 'unique_id_module',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	23	lib => 'mod_unique_id.so',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	24	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	25
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	26	if $crs_package {
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	27	package { $crs_package:
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	28	ensure => 'latest',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	29	before => File['security.conf'],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	30	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	31	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	32
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	33	# Template uses:
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	34	# - $modsec_dir
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	35	file { 'security.conf':
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	36	ensure => file,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	37	content => template('apache/mod/security.conf.erb'),
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	38	path => "${::apache::mod_dir}/security.conf",
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	39	owner => $::apache::params::user,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	40	group => $::apache::params::group,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	41	require => Exec["mkdir ${::apache::mod_dir}"],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	42	before => File[$::apache::mod_dir],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	43	notify => Class['apache::service'],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	44	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	45
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	46	file { $modsec_dir:
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	47	ensure => directory,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	48	owner => $::apache::params::user,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	49	group => $::apache::params::group,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	50	mode => '0555',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	51	purge => true,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	52	force => true,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	53	recurse => true,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	54	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	55
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	56	file { "${modsec_dir}/activated_rules":
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	57	ensure => directory,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	58	owner => $::apache::params::user,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	59	group => $::apache::params::group,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	60	mode => '0555',
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	61	purge => true,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	62	force => true,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	63	recurse => true,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	64	notify => Class['apache::service'],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	65	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	66
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	67	file { "${modsec_dir}/security_crs.conf":
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	68	ensure => file,
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	69	content => template('apache/mod/security_crs.conf.erb'),
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	70	require => File[$modsec_dir],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	71	notify => Class['apache::service'],
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	72	}
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	73
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	74	apache::security::rule_link { $activated_rules: }
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	75
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	76	}

author	ymh <ymh.work@gmail.com>
	Fri, 15 Jan 2016 15:35:00 +0100
changeset 28	b0b56e0f8c7f
permissions	-rw-r--r--