pieterdp-hx_apache

Module to set default options for the Apache web server. Uses puppetlabs-apache.


License
GPL-3.0
Install
puppet module install pieterdp-hx_apache --version 1.1.2

Documentation

hx_apache

Table of Contents

  1. Description
  2. Setup
  3. Usage
  4. Reference
  5. Limitations
  6. Development

Description

This module preconfigures the Apache HTTP Web Server using puppetlabs-apache so the server runs both HTTP and HTTPS, supports proxying and uses a secure set of SSL ciphers and protocols.

Setup

What hx_apache affects

  • This module uses the puppetlabs-apache-module, so it will automatically purge all (Apache) configuration files not managed by Puppet.

Beginning with hx_apache

The most simple configuration is:

class {'hx_apache': }

Usage

Default configuration

The module itself will automatically set the following parameters:

  • Enable both HTTP (port 80) and HTTPS (port 443).
  • Enable the proxy modules mod_proxy, mod_proxy_http (HTTP) and mod_proxy_connect (HTTPS).
  • Deny access to any .git directory in the _DocumentRoot_s of all configured websites.

Options

By changing the parameters to hx_apache, you can influence the following settings:

  • ssl_cipher: provide a list of ciphers the server will support. The server will chose one from the list starting at the leftmost cipher. Separate ciphers with a colon (:).

  • ssl_protocol: provide an array of supported protocols. Uses the same syntax as the Apache configuration file (e.g. -SSLv2 is supported).

  • default_mods: list of modules that will be loaded by default. See the puppetlabs-apache documentation for the correct syntax.

Reference

Class hx_apache

The base class.

Parameters

  • ssl_cipher: string of supported SSL ciphers. Uses the same syntax as the Apache configuration file. Default value is ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256.

  • ssl_protocol: array of supported SSL protocols. Uses the same syntax as the Apache configuration file. Default value is ['all', '-SSLv2', '-SSLv3' '-TLSv1', '-TLSv1.1'].

  • default_mods: array of modules that are loaded by default. Uses puppetlabs-apache syntax. By default set to ['auth_basic', 'setenvif', 'headers', 'env', 'authz_user', 'alias', 'autoindex', 'mime', 'rewrite', 'authn_file', 'negotiation', 'access_compat', 'deflate', 'authn_core', 'dir'].

  • server_admin: configure the ServerAdmin setting. Set to hostname@domain by default (e.g. s1@example.org).

Limitations

This module was tested on Ubuntu 14.04, but should work with all Ubuntu versions. Only works for Apache >= 2.4. RedHat-based systems are also supported.

Development

Pull requests welcome at https://github.com/pieterdp/hx_apache.