aboutsummaryrefslogtreecommitdiffstats
path: root/modules/apache
diff options
context:
space:
mode:
Diffstat (limited to 'modules/apache')
-rw-r--r--modules/apache/manifests/base.pp19
-rw-r--r--modules/apache/manifests/mod/fcgid.pp7
-rw-r--r--modules/apache/manifests/var.pp6
-rw-r--r--modules/apache/templates/01_default_ssl_vhost.conf10
-rw-r--r--modules/apache/templates/50_mod_deflate.conf36
-rw-r--r--modules/apache/templates/django.wsgi4
-rw-r--r--modules/apache/templates/logrotate9
-rw-r--r--modules/apache/templates/mod/php.conf4
-rw-r--r--modules/apache/templates/mod/wsgi.conf2
-rw-r--r--modules/apache/templates/urlescape9
-rw-r--r--modules/apache/templates/vhost_base.conf30
-rw-r--r--modules/apache/templates/vhost_django_app.conf2
-rw-r--r--modules/apache/templates/vhost_fcgid.conf31
-rw-r--r--modules/apache/templates/vhost_redirect.conf2
-rw-r--r--modules/apache/templates/vhost_reverse_proxy.conf8
-rw-r--r--modules/apache/templates/vhost_simple.conf4
-rw-r--r--modules/apache/templates/vhost_ssl.conf12
-rw-r--r--modules/apache/templates/vhost_ssl_redirect.conf2
-rw-r--r--modules/apache/templates/vhost_wsgi.conf2
19 files changed, 134 insertions, 65 deletions
diff --git a/modules/apache/manifests/base.pp b/modules/apache/manifests/base.pp
index b24b740e..4e1d6ed4 100644
--- a/modules/apache/manifests/base.pp
+++ b/modules/apache/manifests/base.pp
@@ -1,25 +1,12 @@
class apache::base {
include apache::var
- # apache-mpm-prefork is merged from mga3 up
- $apache_server = $lsbdistrelease ? {
- /1|2/ => 'apache-mpm-prefork',
- default => 'apache',
- }
+ $conf_d = '/etc/httpd/conf/conf.d'
- package { $apache_server:
+ package { 'apache':
alias => 'apache-server',
}
- if versioncmp($::lsbdistrelease, '2') <= 0 {
- $conf_d = '/etc/httpd/conf.d'
-
- # only needed on mga1 and mga2
- package { $apache::var::pkg_conf: }
- } else {
- $conf_d = '/etc/httpd/conf/conf.d'
- }
-
service { 'httpd':
alias => 'apache',
subscribe => [ Package['apache-server'] ],
@@ -40,6 +27,8 @@ class apache::base {
'/etc/httpd/conf/vhosts.d/00_default_vhosts.conf':
content => template('apache/00_default_vhosts.conf'),
require => Package[$apache::var::pkg_conf];
+ '/etc/httpd/conf/modules.d/50_mod_deflate.conf':
+ content => template('apache/50_mod_deflate.conf');
}
file { '/etc/logrotate.d/httpd':
diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp
index 6c815681..b8186a64 100644
--- a/modules/apache/manifests/mod/fcgid.pp
+++ b/modules/apache/manifests/mod/fcgid.pp
@@ -1,4 +1,11 @@
class apache::mod::fcgid {
include apache::base
package { 'apache-mod_fcgid': }
+
+ file { 'urlescape':
+ path => '/usr/local/bin/urlescape',
+ mode => '0755',
+ notify => Service['apache'],
+ content => template('apache/urlescape'),
+ }
}
diff --git a/modules/apache/manifests/var.pp b/modules/apache/manifests/var.pp
index 2c33a23f..4a6d68eb 100644
--- a/modules/apache/manifests/var.pp
+++ b/modules/apache/manifests/var.pp
@@ -8,9 +8,5 @@ class apache::var(
$apache_group = 'apache',
$default_vhost_redirect = ''
) {
- if ($::lsbdistrelease == '1') or ($::lsbdistid == 'MandrivaLinux') {
- $pkg_conf = 'apache-conf'
- } else {
- $pkg_conf = 'apache'
- }
+ $pkg_conf = 'apache'
}
diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf
index c9cdcfcd..323bf145 100644
--- a/modules/apache/templates/01_default_ssl_vhost.conf
+++ b/modules/apache/templates/01_default_ssl_vhost.conf
@@ -15,7 +15,7 @@
# General setup for the virtual host
DocumentRoot "/var/www/html"
#ServerName localhost:443
-ServerAdmin root@<%= domain %>
+ServerAdmin root@<%= @domain %>
ErrorLog logs/ssl_error_log
<IfModule mod_log_config.c>
@@ -38,10 +38,10 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
# connect. Disable SSLv2/v3 access by default:
SSLProtocol ALL -SSLv2 -SSLv3
-<%- if wildcard_sslcert == 'true' then -%>
-SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt
-SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key
-SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem
+<%- if @wildcard_sslcert == 'true' then -%>
+SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt
+SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key
+SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem
SSLVerifyClient None
<%- else -%>
SSLCertificateFile /etc/ssl/apache/localhost.pem
diff --git a/modules/apache/templates/50_mod_deflate.conf b/modules/apache/templates/50_mod_deflate.conf
new file mode 100644
index 00000000..5192bf6e
--- /dev/null
+++ b/modules/apache/templates/50_mod_deflate.conf
@@ -0,0 +1,36 @@
+<IfModule mod_deflate.c>
+ # Compress HTML, CSS, JavaScript, JSON, Text, XML and fonts
+ AddOutputFilterByType DEFLATE application/javascript
+ AddOutputFilterByType DEFLATE application/json
+ AddOutputFilterByType DEFLATE application/rss+xml
+ AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
+ AddOutputFilterByType DEFLATE application/x-font
+ AddOutputFilterByType DEFLATE application/x-font-opentype
+ AddOutputFilterByType DEFLATE application/x-font-otf
+ AddOutputFilterByType DEFLATE application/x-font-truetype
+ AddOutputFilterByType DEFLATE application/x-font-ttf
+ AddOutputFilterByType DEFLATE application/x-javascript
+ AddOutputFilterByType DEFLATE application/xhtml+xml
+ AddOutputFilterByType DEFLATE application/xml
+ AddOutputFilterByType DEFLATE font/opentype
+ AddOutputFilterByType DEFLATE font/otf
+ AddOutputFilterByType DEFLATE font/ttf
+ AddOutputFilterByType DEFLATE image/svg+xml
+ AddOutputFilterByType DEFLATE image/x-icon
+ AddOutputFilterByType DEFLATE text/css
+ AddOutputFilterByType DEFLATE text/html
+ AddOutputFilterByType DEFLATE text/javascript
+ AddOutputFilterByType DEFLATE text/plain
+ AddOutputFilterByType DEFLATE text/xml
+
+ # Level of compression (9=highest compression level)
+ DeflateCompressionLevel 1
+
+ # Do not compress certain file types
+ SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|heif|heic|webp|mp4|mov|mpg|webm|avi)$ no-gzip dont-vary
+ SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|xz|zst|lzo|lzma|sit|rar|cab|rpm)$ no-gzip dont-vary
+ SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
+
+ # Make sure proxies don't deliver the wrong content
+ Header append Vary User-Agent env=!dont-vary
+</IfModule>
diff --git a/modules/apache/templates/django.wsgi b/modules/apache/templates/django.wsgi
index aa0b82c8..2188e1e7 100644
--- a/modules/apache/templates/django.wsgi
+++ b/modules/apache/templates/django.wsgi
@@ -6,8 +6,8 @@ if path not in sys.path:
sys.path.append(path)
<%- end -%>
-<%- if django_module -%>
-os.environ['DJANGO_SETTINGS_MODULE'] = '<%= django_module %>.settings'
+<%- if @django_module -%>
+os.environ['DJANGO_SETTINGS_MODULE'] = '<%= @django_module %>.settings'
<%- else -%>
os.environ['DJANGO_SETTINGS_MODULE'] = 'settings'
<%- end -%>
diff --git a/modules/apache/templates/logrotate b/modules/apache/templates/logrotate
index 0ae57120..823989eb 100644
--- a/modules/apache/templates/logrotate
+++ b/modules/apache/templates/logrotate
@@ -1,7 +1,14 @@
/var/log/httpd/*_log /var/log/httpd/apache_runtime_status /var/log/httpd/ssl_mutex {
-<% if @hostname == 'duvel' then %>
+<% if @hostname == 'duvel' %>
rotate 60
daily
+<% elsif @hostname == 'friteuse' %>
+ # The virtual disk is very small so keep log sizes down
+ rotate 26
+ weekly
+<% elsif @hostname == 'sucuk' %>
+ rotate 52
+ weekly
<% else %>
rotate <%= scope.lookupvar('apache::var::httpdlogs_rotate') %>
monthly
diff --git a/modules/apache/templates/mod/php.conf b/modules/apache/templates/mod/php.conf
index 6d64ffb8..8bc20078 100644
--- a/modules/apache/templates/mod/php.conf
+++ b/modules/apache/templates/mod/php.conf
@@ -1,5 +1,5 @@
# as php insist to have this value set, let's
# look on the system for him
-php_value date.timezone "<%= php_date_timezone %>"
-php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= domain %>"
+php_value date.timezone "<%= @php_date_timezone %>"
+php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= @domain %>"
diff --git a/modules/apache/templates/mod/wsgi.conf b/modules/apache/templates/mod/wsgi.conf
index 347affc6..18678bc6 100644
--- a/modules/apache/templates/mod/wsgi.conf
+++ b/modules/apache/templates/mod/wsgi.conf
@@ -7,6 +7,6 @@ WSGIRestrictStdout Off
# WSGIRestrictSignal Off
# reenabled, as this prevent apache from restarting properly
-# make sure transifex client work fine, as we need wsgi to pass autorisation
+# make sure transifex client work fine, as we need wsgi to pass authorisation
# header to django ( otherwise, this just show error 401 )
WSGIPassAuthorization On
diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape
new file mode 100644
index 00000000..8feb7fa4
--- /dev/null
+++ b/modules/apache/templates/urlescape
@@ -0,0 +1,9 @@
+#!/usr/bin/python3 -u
+# URL escape each path given on stdin
+import sys
+import urllib.parse
+while True:
+ l = sys.stdin.readline()
+ if not l:
+ break
+ print(urllib.parse.quote(l.rstrip("\n")))
diff --git a/modules/apache/templates/vhost_base.conf b/modules/apache/templates/vhost_base.conf
index 84c8f918..da26b683 100644
--- a/modules/apache/templates/vhost_base.conf
+++ b/modules/apache/templates/vhost_base.conf
@@ -1,4 +1,4 @@
-<%- if use_ssl then
+<%- if @use_ssl then
port = 443
else
port = 80
@@ -6,19 +6,19 @@ end
-%>
<VirtualHost *:<%= port %>>
-<%- if use_ssl then -%>
+<%- if @use_ssl then -%>
<%= scope.function_template(["apache/vhost_ssl.conf"]) %>
<%- end -%>
- ServerName <%= real_vhost %>
-<%- server_aliases.each do |key| -%>
+ ServerName <%= @real_vhost %>
+<%- @server_aliases.each do |key| -%>
ServerAlias <%= key %>
<%- end -%>
- DocumentRoot <%= location %>
+ DocumentRoot <%= @location %>
- CustomLog <%= real_access_logfile %> combined
- ErrorLog <%= real_error_logfile %>
+ CustomLog <%= @real_access_logfile %> combined
+ ErrorLog <%= @real_error_logfile %>
-<%- if enable_public_html -%>
+<%- if @enable_public_html -%>
#TODO add the rest
UserDir public_html
<%- else -%>
@@ -27,19 +27,19 @@ end
</IfModule>
<%- end -%>
-<%- aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%>
- Alias <%= key %> <%= aliases[key] %>
+<%- @aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%>
+ Alias <%= key %> <%= @aliases[key] %>
<%- end -%>
- <%= content %>
+ <%= @content %>
-<%- if options.length > 0 -%>
- <Directory <%= location %>>
- Options <%= options.join(" ") %>
+<%- if @options.length > 0 -%>
+ <Directory <%= @location %>>
+ Options <%= @options.join(" ") %>
</Directory>
<%- end -%>
-<%- if enable_location -%>
+<%- if @enable_location -%>
<Location />
<IfModule mod_authz_core.c>
Require all granted
diff --git a/modules/apache/templates/vhost_django_app.conf b/modules/apache/templates/vhost_django_app.conf
index 3310045e..d85cf7a9 100644
--- a/modules/apache/templates/vhost_django_app.conf
+++ b/modules/apache/templates/vhost_django_app.conf
@@ -1 +1 @@
-WSGIScriptAlias / /usr/local/lib/wsgi/<%= name %>.wsgi
+WSGIScriptAlias / /usr/local/lib/wsgi/<%= @name %>.wsgi
diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf
index 17b2bb06..f137c866 100644
--- a/modules/apache/templates/vhost_fcgid.conf
+++ b/modules/apache/templates/vhost_fcgid.conf
@@ -1,8 +1,8 @@
AddHandler fcgid-script .pl
-<%- script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%>
- ScriptAlias <%= key %> <%= script_aliases[key] %>
+<%- @script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%>
+ ScriptAlias <%= key %> <%= @script_aliases[key] %>
<%- end -%>
-FcgidMinProcessesPerClass <%= process %>
+FcgidMinProcessesPerClass <%= @process %>
FcgidIdleTimeout 30
# These robots were scraping the whole of svnweb in 2024-04, causing severe
@@ -13,4 +13,29 @@ FcgidIdleTimeout 30
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ClaudeBot|Amazonbot
RewriteRule . - [R=403,L]
+
+# Block expensive SVN operations on all common robots ("spider" covers a
+# bunch). "Expensive" is considered to be most operations other than showing a
+# directory or downloading a specific version of a file.
+# Note: eliminating view=log and annotate= doesn't make much difference to the
+# CPU load when robots are hitting the server in real world operation.
+RewriteCond %{QUERY_STRING} pathrev=|r1=
+RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto"
+RewriteRule . - [R=403,L]
+
+# Only let expensive operations through when a cookie is set. If no cookie is
+# set, redirect to a page where it will be set using JavaScript and redirect
+# back. This will block requests from user agents that do not support
+# JavaScript, which includes many robots.
+RewriteMap urlescape prg:/usr/local/bin/urlescape
+RewriteCond %{QUERY_STRING} pathrev=|r1=
+RewriteCond %{REQUEST_URI} !/_check
+RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary]
+RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L]
+
+# Block abusive spiders by IP address who don't identify themselves in the
+# User-Agent: string
+RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'"
+RewriteRule . - [R=403,L]
+
ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>"
diff --git a/modules/apache/templates/vhost_redirect.conf b/modules/apache/templates/vhost_redirect.conf
index 0f256881..c787311e 100644
--- a/modules/apache/templates/vhost_redirect.conf
+++ b/modules/apache/templates/vhost_redirect.conf
@@ -1,2 +1,2 @@
-Redirect / <%= url %>
+Redirect / <%= @url %>
diff --git a/modules/apache/templates/vhost_reverse_proxy.conf b/modules/apache/templates/vhost_reverse_proxy.conf
index 1488c682..4859bda3 100644
--- a/modules/apache/templates/vhost_reverse_proxy.conf
+++ b/modules/apache/templates/vhost_reverse_proxy.conf
@@ -1,4 +1,4 @@
-<%= content %>
+<%= @content %>
ProxyRequests Off
ProxyPreserveHost On
@@ -7,9 +7,9 @@
Order deny,allow
Allow from all
</Proxy>
-<%- if url =~ /^https/ -%>
+<%- if @url =~ /^https/ -%>
SSLProxyEngine On
<%- end -%>
- ProxyPass / <%= url %>
- ProxyPassReverse / <%= url %>
+ ProxyPass / <%= @url %>
+ ProxyPassReverse / <%= @url %>
diff --git a/modules/apache/templates/vhost_simple.conf b/modules/apache/templates/vhost_simple.conf
index afc443de..77b55287 100644
--- a/modules/apache/templates/vhost_simple.conf
+++ b/modules/apache/templates/vhost_simple.conf
@@ -1,6 +1,6 @@
<VirtualHost *:80>
- ServerName <%= name %>
- DocumentRoot <%= location %>
+ ServerName <%= @name %>
+ DocumentRoot <%= @location %>
<Location />
<IfModule mod_authz_core.c>
diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf
index e39e6820..0cb52eca 100644
--- a/modules/apache/templates/vhost_ssl.conf
+++ b/modules/apache/templates/vhost_ssl.conf
@@ -2,12 +2,12 @@
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
- <%- if wildcard_sslcert == 'true' then -%>
- SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt
- SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key
- SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem
+ <%- if @wildcard_sslcert == 'true' then -%>
+ SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt
+ SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key
+ SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem
SSLVerifyClient None
<%- else -%>
- SSLCertificateFile /etc/ssl/apache/<%= real_vhost %>.pem
- SSLCertificateKeyFile /etc/ssl/apache/<%= real_vhost %>.pem
+ SSLCertificateFile /etc/ssl/apache/<%= @real_vhost %>.pem
+ SSLCertificateKeyFile /etc/ssl/apache/<%= @real_vhost %>.pem
<%- end -%>
diff --git a/modules/apache/templates/vhost_ssl_redirect.conf b/modules/apache/templates/vhost_ssl_redirect.conf
index d13c3093..23a7eabe 100644
--- a/modules/apache/templates/vhost_ssl_redirect.conf
+++ b/modules/apache/templates/vhost_ssl_redirect.conf
@@ -1 +1 @@
-Redirect / https://<%= name %>/
+Redirect / https://<%= @name %>/
diff --git a/modules/apache/templates/vhost_wsgi.conf b/modules/apache/templates/vhost_wsgi.conf
index 34926411..2f1ba585 100644
--- a/modules/apache/templates/vhost_wsgi.conf
+++ b/modules/apache/templates/vhost_wsgi.conf
@@ -1,3 +1,3 @@
-WSGIScriptAlias / <%= wsgi_path %>
+WSGIScriptAlias / <%= @wsgi_path %>