diff options
Diffstat (limited to 'modules/apache')
-rw-r--r-- | modules/apache/manifests/base.pp | 19 | ||||
-rw-r--r-- | modules/apache/manifests/mod/fcgid.pp | 7 | ||||
-rw-r--r-- | modules/apache/manifests/var.pp | 6 | ||||
-rw-r--r-- | modules/apache/templates/01_default_ssl_vhost.conf | 10 | ||||
-rw-r--r-- | modules/apache/templates/50_mod_deflate.conf | 36 | ||||
-rw-r--r-- | modules/apache/templates/django.wsgi | 4 | ||||
-rw-r--r-- | modules/apache/templates/logrotate | 9 | ||||
-rw-r--r-- | modules/apache/templates/mod/php.conf | 4 | ||||
-rw-r--r-- | modules/apache/templates/mod/wsgi.conf | 2 | ||||
-rw-r--r-- | modules/apache/templates/urlescape | 9 | ||||
-rw-r--r-- | modules/apache/templates/vhost_base.conf | 30 | ||||
-rw-r--r-- | modules/apache/templates/vhost_django_app.conf | 2 | ||||
-rw-r--r-- | modules/apache/templates/vhost_fcgid.conf | 31 | ||||
-rw-r--r-- | modules/apache/templates/vhost_redirect.conf | 2 | ||||
-rw-r--r-- | modules/apache/templates/vhost_reverse_proxy.conf | 8 | ||||
-rw-r--r-- | modules/apache/templates/vhost_simple.conf | 4 | ||||
-rw-r--r-- | modules/apache/templates/vhost_ssl.conf | 12 | ||||
-rw-r--r-- | modules/apache/templates/vhost_ssl_redirect.conf | 2 | ||||
-rw-r--r-- | modules/apache/templates/vhost_wsgi.conf | 2 |
19 files changed, 134 insertions, 65 deletions
diff --git a/modules/apache/manifests/base.pp b/modules/apache/manifests/base.pp index b24b740e..4e1d6ed4 100644 --- a/modules/apache/manifests/base.pp +++ b/modules/apache/manifests/base.pp @@ -1,25 +1,12 @@ class apache::base { include apache::var - # apache-mpm-prefork is merged from mga3 up - $apache_server = $lsbdistrelease ? { - /1|2/ => 'apache-mpm-prefork', - default => 'apache', - } + $conf_d = '/etc/httpd/conf/conf.d' - package { $apache_server: + package { 'apache': alias => 'apache-server', } - if versioncmp($::lsbdistrelease, '2') <= 0 { - $conf_d = '/etc/httpd/conf.d' - - # only needed on mga1 and mga2 - package { $apache::var::pkg_conf: } - } else { - $conf_d = '/etc/httpd/conf/conf.d' - } - service { 'httpd': alias => 'apache', subscribe => [ Package['apache-server'] ], @@ -40,6 +27,8 @@ class apache::base { '/etc/httpd/conf/vhosts.d/00_default_vhosts.conf': content => template('apache/00_default_vhosts.conf'), require => Package[$apache::var::pkg_conf]; + '/etc/httpd/conf/modules.d/50_mod_deflate.conf': + content => template('apache/50_mod_deflate.conf'); } file { '/etc/logrotate.d/httpd': diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp index 6c815681..b8186a64 100644 --- a/modules/apache/manifests/mod/fcgid.pp +++ b/modules/apache/manifests/mod/fcgid.pp @@ -1,4 +1,11 @@ class apache::mod::fcgid { include apache::base package { 'apache-mod_fcgid': } + + file { 'urlescape': + path => '/usr/local/bin/urlescape', + mode => '0755', + notify => Service['apache'], + content => template('apache/urlescape'), + } } diff --git a/modules/apache/manifests/var.pp b/modules/apache/manifests/var.pp index 2c33a23f..4a6d68eb 100644 --- a/modules/apache/manifests/var.pp +++ b/modules/apache/manifests/var.pp @@ -8,9 +8,5 @@ class apache::var( $apache_group = 'apache', $default_vhost_redirect = '' ) { - if ($::lsbdistrelease == '1') or ($::lsbdistid == 'MandrivaLinux') { - $pkg_conf = 'apache-conf' - } else { - $pkg_conf = 'apache' - } + $pkg_conf = 'apache' } diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf index c9cdcfcd..323bf145 100644 --- a/modules/apache/templates/01_default_ssl_vhost.conf +++ b/modules/apache/templates/01_default_ssl_vhost.conf @@ -15,7 +15,7 @@ # General setup for the virtual host DocumentRoot "/var/www/html" #ServerName localhost:443 -ServerAdmin root@<%= domain %> +ServerAdmin root@<%= @domain %> ErrorLog logs/ssl_error_log <IfModule mod_log_config.c> @@ -38,10 +38,10 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC # connect. Disable SSLv2/v3 access by default: SSLProtocol ALL -SSLv2 -SSLv3 -<%- if wildcard_sslcert == 'true' then -%> -SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt -SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key -SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem +<%- if @wildcard_sslcert == 'true' then -%> +SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt +SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key +SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem SSLVerifyClient None <%- else -%> SSLCertificateFile /etc/ssl/apache/localhost.pem diff --git a/modules/apache/templates/50_mod_deflate.conf b/modules/apache/templates/50_mod_deflate.conf new file mode 100644 index 00000000..5192bf6e --- /dev/null +++ b/modules/apache/templates/50_mod_deflate.conf @@ -0,0 +1,36 @@ +<IfModule mod_deflate.c> + # Compress HTML, CSS, JavaScript, JSON, Text, XML and fonts + AddOutputFilterByType DEFLATE application/javascript + AddOutputFilterByType DEFLATE application/json + AddOutputFilterByType DEFLATE application/rss+xml + AddOutputFilterByType DEFLATE application/vnd.ms-fontobject + AddOutputFilterByType DEFLATE application/x-font + AddOutputFilterByType DEFLATE application/x-font-opentype + AddOutputFilterByType DEFLATE application/x-font-otf + AddOutputFilterByType DEFLATE application/x-font-truetype + AddOutputFilterByType DEFLATE application/x-font-ttf + AddOutputFilterByType DEFLATE application/x-javascript + AddOutputFilterByType DEFLATE application/xhtml+xml + AddOutputFilterByType DEFLATE application/xml + AddOutputFilterByType DEFLATE font/opentype + AddOutputFilterByType DEFLATE font/otf + AddOutputFilterByType DEFLATE font/ttf + AddOutputFilterByType DEFLATE image/svg+xml + AddOutputFilterByType DEFLATE image/x-icon + AddOutputFilterByType DEFLATE text/css + AddOutputFilterByType DEFLATE text/html + AddOutputFilterByType DEFLATE text/javascript + AddOutputFilterByType DEFLATE text/plain + AddOutputFilterByType DEFLATE text/xml + + # Level of compression (9=highest compression level) + DeflateCompressionLevel 1 + + # Do not compress certain file types + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|heif|heic|webp|mp4|mov|mpg|webm|avi)$ no-gzip dont-vary + SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|xz|zst|lzo|lzma|sit|rar|cab|rpm)$ no-gzip dont-vary + SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary + + # Make sure proxies don't deliver the wrong content + Header append Vary User-Agent env=!dont-vary +</IfModule> diff --git a/modules/apache/templates/django.wsgi b/modules/apache/templates/django.wsgi index aa0b82c8..2188e1e7 100644 --- a/modules/apache/templates/django.wsgi +++ b/modules/apache/templates/django.wsgi @@ -6,8 +6,8 @@ if path not in sys.path: sys.path.append(path) <%- end -%> -<%- if django_module -%> -os.environ['DJANGO_SETTINGS_MODULE'] = '<%= django_module %>.settings' +<%- if @django_module -%> +os.environ['DJANGO_SETTINGS_MODULE'] = '<%= @django_module %>.settings' <%- else -%> os.environ['DJANGO_SETTINGS_MODULE'] = 'settings' <%- end -%> diff --git a/modules/apache/templates/logrotate b/modules/apache/templates/logrotate index 0ae57120..823989eb 100644 --- a/modules/apache/templates/logrotate +++ b/modules/apache/templates/logrotate @@ -1,7 +1,14 @@ /var/log/httpd/*_log /var/log/httpd/apache_runtime_status /var/log/httpd/ssl_mutex { -<% if @hostname == 'duvel' then %> +<% if @hostname == 'duvel' %> rotate 60 daily +<% elsif @hostname == 'friteuse' %> + # The virtual disk is very small so keep log sizes down + rotate 26 + weekly +<% elsif @hostname == 'sucuk' %> + rotate 52 + weekly <% else %> rotate <%= scope.lookupvar('apache::var::httpdlogs_rotate') %> monthly diff --git a/modules/apache/templates/mod/php.conf b/modules/apache/templates/mod/php.conf index 6d64ffb8..8bc20078 100644 --- a/modules/apache/templates/mod/php.conf +++ b/modules/apache/templates/mod/php.conf @@ -1,5 +1,5 @@ # as php insist to have this value set, let's # look on the system for him -php_value date.timezone "<%= php_date_timezone %>" -php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= domain %>" +php_value date.timezone "<%= @php_date_timezone %>" +php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= @domain %>" diff --git a/modules/apache/templates/mod/wsgi.conf b/modules/apache/templates/mod/wsgi.conf index 347affc6..18678bc6 100644 --- a/modules/apache/templates/mod/wsgi.conf +++ b/modules/apache/templates/mod/wsgi.conf @@ -7,6 +7,6 @@ WSGIRestrictStdout Off # WSGIRestrictSignal Off # reenabled, as this prevent apache from restarting properly -# make sure transifex client work fine, as we need wsgi to pass autorisation +# make sure transifex client work fine, as we need wsgi to pass authorisation # header to django ( otherwise, this just show error 401 ) WSGIPassAuthorization On diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape new file mode 100644 index 00000000..8feb7fa4 --- /dev/null +++ b/modules/apache/templates/urlescape @@ -0,0 +1,9 @@ +#!/usr/bin/python3 -u +# URL escape each path given on stdin +import sys +import urllib.parse +while True: + l = sys.stdin.readline() + if not l: + break + print(urllib.parse.quote(l.rstrip("\n"))) diff --git a/modules/apache/templates/vhost_base.conf b/modules/apache/templates/vhost_base.conf index 84c8f918..da26b683 100644 --- a/modules/apache/templates/vhost_base.conf +++ b/modules/apache/templates/vhost_base.conf @@ -1,4 +1,4 @@ -<%- if use_ssl then +<%- if @use_ssl then port = 443 else port = 80 @@ -6,19 +6,19 @@ end -%> <VirtualHost *:<%= port %>> -<%- if use_ssl then -%> +<%- if @use_ssl then -%> <%= scope.function_template(["apache/vhost_ssl.conf"]) %> <%- end -%> - ServerName <%= real_vhost %> -<%- server_aliases.each do |key| -%> + ServerName <%= @real_vhost %> +<%- @server_aliases.each do |key| -%> ServerAlias <%= key %> <%- end -%> - DocumentRoot <%= location %> + DocumentRoot <%= @location %> - CustomLog <%= real_access_logfile %> combined - ErrorLog <%= real_error_logfile %> + CustomLog <%= @real_access_logfile %> combined + ErrorLog <%= @real_error_logfile %> -<%- if enable_public_html -%> +<%- if @enable_public_html -%> #TODO add the rest UserDir public_html <%- else -%> @@ -27,19 +27,19 @@ end </IfModule> <%- end -%> -<%- aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> - Alias <%= key %> <%= aliases[key] %> +<%- @aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + Alias <%= key %> <%= @aliases[key] %> <%- end -%> - <%= content %> + <%= @content %> -<%- if options.length > 0 -%> - <Directory <%= location %>> - Options <%= options.join(" ") %> +<%- if @options.length > 0 -%> + <Directory <%= @location %>> + Options <%= @options.join(" ") %> </Directory> <%- end -%> -<%- if enable_location -%> +<%- if @enable_location -%> <Location /> <IfModule mod_authz_core.c> Require all granted diff --git a/modules/apache/templates/vhost_django_app.conf b/modules/apache/templates/vhost_django_app.conf index 3310045e..d85cf7a9 100644 --- a/modules/apache/templates/vhost_django_app.conf +++ b/modules/apache/templates/vhost_django_app.conf @@ -1 +1 @@ -WSGIScriptAlias / /usr/local/lib/wsgi/<%= name %>.wsgi +WSGIScriptAlias / /usr/local/lib/wsgi/<%= @name %>.wsgi diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf index 17b2bb06..f137c866 100644 --- a/modules/apache/templates/vhost_fcgid.conf +++ b/modules/apache/templates/vhost_fcgid.conf @@ -1,8 +1,8 @@ AddHandler fcgid-script .pl -<%- script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> - ScriptAlias <%= key %> <%= script_aliases[key] %> +<%- @script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + ScriptAlias <%= key %> <%= @script_aliases[key] %> <%- end -%> -FcgidMinProcessesPerClass <%= process %> +FcgidMinProcessesPerClass <%= @process %> FcgidIdleTimeout 30 # These robots were scraping the whole of svnweb in 2024-04, causing severe @@ -13,4 +13,29 @@ FcgidIdleTimeout 30 RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ClaudeBot|Amazonbot RewriteRule . - [R=403,L] + +# Block expensive SVN operations on all common robots ("spider" covers a +# bunch). "Expensive" is considered to be most operations other than showing a +# directory or downloading a specific version of a file. +# Note: eliminating view=log and annotate= doesn't make much difference to the +# CPU load when robots are hitting the server in real world operation. +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" +RewriteRule . - [R=403,L] + +# Only let expensive operations through when a cookie is set. If no cookie is +# set, redirect to a page where it will be set using JavaScript and redirect +# back. This will block requests from user agents that do not support +# JavaScript, which includes many robots. +RewriteMap urlescape prg:/usr/local/bin/urlescape +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{REQUEST_URI} !/_check +RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L] + +# Block abusive spiders by IP address who don't identify themselves in the +# User-Agent: string +RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'" +RewriteRule . - [R=403,L] + ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>" diff --git a/modules/apache/templates/vhost_redirect.conf b/modules/apache/templates/vhost_redirect.conf index 0f256881..c787311e 100644 --- a/modules/apache/templates/vhost_redirect.conf +++ b/modules/apache/templates/vhost_redirect.conf @@ -1,2 +1,2 @@ -Redirect / <%= url %> +Redirect / <%= @url %> diff --git a/modules/apache/templates/vhost_reverse_proxy.conf b/modules/apache/templates/vhost_reverse_proxy.conf index 1488c682..4859bda3 100644 --- a/modules/apache/templates/vhost_reverse_proxy.conf +++ b/modules/apache/templates/vhost_reverse_proxy.conf @@ -1,4 +1,4 @@ -<%= content %> +<%= @content %> ProxyRequests Off ProxyPreserveHost On @@ -7,9 +7,9 @@ Order deny,allow Allow from all </Proxy> -<%- if url =~ /^https/ -%> +<%- if @url =~ /^https/ -%> SSLProxyEngine On <%- end -%> - ProxyPass / <%= url %> - ProxyPassReverse / <%= url %> + ProxyPass / <%= @url %> + ProxyPassReverse / <%= @url %> diff --git a/modules/apache/templates/vhost_simple.conf b/modules/apache/templates/vhost_simple.conf index afc443de..77b55287 100644 --- a/modules/apache/templates/vhost_simple.conf +++ b/modules/apache/templates/vhost_simple.conf @@ -1,6 +1,6 @@ <VirtualHost *:80> - ServerName <%= name %> - DocumentRoot <%= location %> + ServerName <%= @name %> + DocumentRoot <%= @location %> <Location /> <IfModule mod_authz_core.c> diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf index e39e6820..0cb52eca 100644 --- a/modules/apache/templates/vhost_ssl.conf +++ b/modules/apache/templates/vhost_ssl.conf @@ -2,12 +2,12 @@ SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS - <%- if wildcard_sslcert == 'true' then -%> - SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt - SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key - SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem + <%- if @wildcard_sslcert == 'true' then -%> + SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt + SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key + SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem SSLVerifyClient None <%- else -%> - SSLCertificateFile /etc/ssl/apache/<%= real_vhost %>.pem - SSLCertificateKeyFile /etc/ssl/apache/<%= real_vhost %>.pem + SSLCertificateFile /etc/ssl/apache/<%= @real_vhost %>.pem + SSLCertificateKeyFile /etc/ssl/apache/<%= @real_vhost %>.pem <%- end -%> diff --git a/modules/apache/templates/vhost_ssl_redirect.conf b/modules/apache/templates/vhost_ssl_redirect.conf index d13c3093..23a7eabe 100644 --- a/modules/apache/templates/vhost_ssl_redirect.conf +++ b/modules/apache/templates/vhost_ssl_redirect.conf @@ -1 +1 @@ -Redirect / https://<%= name %>/ +Redirect / https://<%= @name %>/ diff --git a/modules/apache/templates/vhost_wsgi.conf b/modules/apache/templates/vhost_wsgi.conf index 34926411..2f1ba585 100644 --- a/modules/apache/templates/vhost_wsgi.conf +++ b/modules/apache/templates/vhost_wsgi.conf @@ -1,3 +1,3 @@ -WSGIScriptAlias / <%= wsgi_path %> +WSGIScriptAlias / <%= @wsgi_path %> |