Mercurial Mercurial > corpus_parole / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
dev/provisioning/modules/apache/manifests/mod/security.pp
author ymh <ymh.work@gmail.com>
Fri, 15 Jan 2016 15:35:00 +0100
changeset 28 b0b56e0f8c7f
permissions -rw-r--r--
Add contributor edition - added viaf resolver - improve contributors list display - add update of document objects - propagate update to back office - update back office - add bo-client to back office - setup language initializer - add options mechanism - add language information in language list - add lexvo resolver service + api - add language and lexvo resolver to js app - correct env template - refresh bootstrap - download google font - add version information - update dev virtual machine to centos7 - add a readme + clean folders - add local .env file to start commands

class apache::mod::security (
  $crs_package           = $::apache::params::modsec_crs_package,
  $activated_rules       = $::apache::params::modsec_default_rules,
  $modsec_dir            = $::apache::params::modsec_dir,
  $modsec_secruleengine  = $::apache::params::modsec_secruleengine,
  $allowed_methods       = 'GET HEAD POST OPTIONS',
  $content_types         = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
  $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
  $restricted_headers    = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
){

  if $::osfamily == 'FreeBSD' {
    fail('FreeBSD is not currently supported')
  }

  ::apache::mod { 'security':
    id  => 'security2_module',
    lib => 'mod_security2.so',
  }

  ::apache::mod { 'unique_id_module':
    id  => 'unique_id_module',
    lib => 'mod_unique_id.so',
  }

  if $crs_package  {
    package { $crs_package:
      ensure => 'latest',
      before => File['security.conf'],
    }
  }

  # Template uses:
  # - $modsec_dir
  file { 'security.conf':
    ensure  => file,
    content => template('apache/mod/security.conf.erb'),
    path    => "${::apache::mod_dir}/security.conf",
    owner   => $::apache::params::user,
    group   => $::apache::params::group,
    require => Exec["mkdir ${::apache::mod_dir}"],
    before  => File[$::apache::mod_dir],
    notify  => Class['apache::service'],
  }

  file { $modsec_dir:
    ensure  => directory,
    owner   => $::apache::params::user,
    group   => $::apache::params::group,
    mode    => '0555',
    purge   => true,
    force   => true,
    recurse => true,
  }

  file { "${modsec_dir}/activated_rules":
    ensure  => directory,
    owner   => $::apache::params::user,
    group   => $::apache::params::group,
    mode    => '0555',
    purge   => true,
    force   => true,
    recurse => true,
    notify  => Class['apache::service'],
  }

  file { "${modsec_dir}/security_crs.conf":
    ensure  => file,
    content => template('apache/mod/security_crs.conf.erb'),
    require => File[$modsec_dir],
    notify  => Class['apache::service'],
  }

  apache::security::rule_link { $activated_rules: }

}
corpus_parole