Reference

See the Reference Documentation for full details

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

Reference

Table of Contents

Classes

• simp_apache: Configures an Apache server
• simp_apache::conf: This class sets up apache.conf.
• simp_apache::install: Apache package management
• simp_apache::service: Control the Apache service
• simp_apache::ssl: Configures an Apache server with SSL support
• simp_apache::validate: Should be used as input to validate_deep_hash when managing ldap

Defined types

• simp_apache::site: This adds a 'site' to your configuration.

Resource types

• htaccess: Manages the contents of htaccess files using the htpasswd command. Right now the $namevar must be a path/user combination as documented under

Functions

• simp_apache::auth: Takes a hash of arguments related to Apache 'Auth' settings and returns a reasonably formatted set of options. Currently, only htaccess and
• simp_apache::limits: Takes a hash of arguments related to Apache 'Limits' settings and returns a reasonably formatted set of options. Currently, host, user ('val
• simp_apache::munge_httpd_networks: Provides a method by which an array of networks can be properly formatted for an Apache Allow/Deny segment. This handles the case of 0.0.0.0

Data types

• Simp_apache::LogSeverity: Valid log serveries for Apache

Classes

simp_apache

Ensures that the appropriate files are in the appropriate places and can optionally rsync the /var/www/html content.

Ideally, we will move over to the Puppet Labs apache module in the future but it's going to be quite a bit of work to port all of our code.

Parameters

The following parameters are available in the simp_apache class:

• data_dir
• rsync_web_root
• ssl
• rsync_source
• rsync_server
• rsync_timeout

data_dir

Data type: Stdlib::AbsolutePath

The location where apache web data should be stored. Set to /srv/www for legacy reasons.

Default value: '/var/www'

rsync_web_root

Data type: Boolean

Whether or not to rsync over the web root.

Default value: true

ssl

Data type: Boolean

Whether or not to enable SSL. You will need to set the Hiera variables for apache::ssl appropriately for your needs.

Default value: true

rsync_source

Data type: String

The source on the rsync server.

Default value: "apache_${facts['environment']}_${facts['os']['name']}/www"

rsync_server

Data type: Simplib::Host

The name/address of the rsync server.

Default value: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' })

rsync_timeout

Data type: Integer

The rsync connection timeout.

Default value: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 2 })

simp_apache::conf

This class sets up apache.conf.

• See also
  • The

    * following parameters are referenced in the stock apache
    

    documentation

Parameters

The following parameters are available in the simp_apache::conf class:

• httpd_timeout
• httpd_loglevel
• listen
• firewall
• syslog
• syslog_target
• purge
• keepalive
• maxkeepalive
• keepalivetimeout
• prefork_startservers
• prefork_minspareservers
• prefork_maxspareservers
• prefork_serverlimit
• prefork_maxclients
• prefork_maxrequestsperchild
• worker_startservers
• worker_maxclients
• worker_minsparethreads
• worker_maxsparethreads
• worker_threadsperchild
• worker_maxrequestsperchild
• includes
• serveradmin
• servername
• allowroot
• defaulttype
• enablemmap
• enablesendfile
• user
• group
• logformat
• logfacility

httpd_timeout

Data type: Integer

The Timeout variable. Renamed to not conflict with the Puppet reserved word 'timeout'.

Default value: 120

httpd_loglevel

Data type: Simp_apache::LogSeverity

The LogLevel variable. Renamed to not conflict with the Puppet reserved word 'loglevel'.

Default value: 'warn'

listen

Data type: Array[Variant[Simplib::Host::Port, Simplib::Port]]

An array of ports upon which Apache should listen.

NOTE: If you are using an IPv6 with a port, you need to bracket the address

Default value: [80]

firewall

Data type: Boolean

Whether or not to use the SIMP IPTables module.

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })

syslog

Data type: Boolean

Whether or not to use the SIMP Rsyslog module.

Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })

syslog_target

Data type: Stdlib::AbsolutePath

If $syslog is true, store the apache logs at this location.

Default value: '/var/log/httpd'

purge

Data type: Boolean

Whether or not to purge the configuration directories.

Default value: true

keepalive

Data type: Boolean

Default value: false

maxkeepalive

Data type: Integer

Default value: 100

keepalivetimeout

Data type: Integer

Default value: 15

prefork_startservers

Data type: Integer

Default value: 8

prefork_minspareservers

Data type: Integer

Default value: 5

prefork_maxspareservers

Data type: Integer

Default value: 20

prefork_serverlimit

Data type: Integer

Default value: 3000

prefork_maxclients

Data type: Integer

Default value: 3000

prefork_maxrequestsperchild

Data type: Integer

Default value: 4000

worker_startservers

Data type: Integer

Default value: 2

worker_maxclients

Data type: Integer

Default value: 3000

worker_minsparethreads

Data type: Integer

Default value: 25

worker_maxsparethreads

Data type: Integer

Default value: 75

worker_threadsperchild

Data type: Integer

Default value: 25

worker_maxrequestsperchild

Data type: Integer

Default value: 0

includes

Data type: Optional[Array[String]]

Default value: undef

serveradmin

Data type: String

Default value: 'root@localhost'

servername

Data type: Optional[String]

Default value: undef

allowroot

Data type: Simplib::Netlist

Default value: ['127.0.0.1','::1']

defaulttype

Data type: String

Default value: 'text/plain'

enablemmap

Data type: Boolean

Default value: true

enablesendfile

Data type: Boolean

Default value: true

user

Data type: String

Default value: 'apache'

group

Data type: String

Default value: 'apache'

logformat

Data type: String

Default value: '%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"'

logfacility

Data type: Simplib::Syslog::LowerFacility

Default value: 'local6'

simp_apache::install

Apache package management

Parameters

The following parameters are available in the simp_apache::install class:

• httpd_ensure
• mod_ldap_ensure
• mod_ssl_ensure

httpd_ensure

Data type: String

The ensure status the httpd package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

mod_ldap_ensure

Data type: String

The ensure status the mod_ldap package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

mod_ssl_ensure

Data type: String

The ensure status the mod_ssl package

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp_apache::service

Control the Apache service

Parameters

The following parameters are available in the simp_apache::service class:

• manage
• service_name
• ensure
• enable
• hasstatus
• hasrestart
• restart

manage

Data type: Boolean

Whether or not to manage the service

If set to false, you may need to add the service name to svckill::ignore if you are in enforcing mode.

Default value: true

service_name

Data type: String[1]

The name of the service to manage

Default value: 'httpd'

ensure

Data type: String[1]

The state that the service should be in

Default value: 'running'

enable

Data type: Boolean

Whether or not to enable the daemon

Default value: true

hasstatus

Data type: Boolean

Whether or not the service has a 'status' command

Default value: true

hasrestart

Data type: Boolean

If set to true then the contents of $restart will be ignored

Default value: false

restart

Data type: String[1]

A specific command to use to restart the daemon

• Ignored if $hasrestart is set to true
• The reload || restart is in place to try to force a clean restart if a reload fails to do the job.

Default value: '/usr/bin/systemctl reload httpd.service || /usr/bin/systemctl restart httpd.service'

simp_apache::ssl

Ensures that the appropriate files are in the appropriate places and have the correct permissions.

@NOTE: Any parameter that comes directly from Apache is not documented here and should be found in the Apache mod_ssl reference documentation.

• See also
  • https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient

Parameters

The following parameters are available in the simp_apache::ssl class:

• listen
• trusted_nets
• logformat
• enable_default_vhost
• firewall
• pki
• app_pki_external_source
• app_pki_dir
• app_pki_key
• app_pki_cert
• app_pki_ca_dir
• haveged
• openssl_cipher_suite
• ssl_protocols
• ssl_honor_cipher_order
• sslverifyclient
• sslverifydepth

listen

Data type: Array[Variant[Simplib::Host::Port, Simplib::Port]]

An array of ports upon which the stock SSL configuration should listen.

@NOTE: If you are using an IPv6 with a port, you need to bracket the address

Default value: [443]

trusted_nets

Data type: Simplib::Netlist

An array of networks that you trust to connect to your server.

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] })

logformat

Data type: String

The default LogFormat to be used for SSL logging. Set to '' to disable logging.

Default value: '%t %h %{SSL_CLIENT_S_DN_CN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %s'

enable_default_vhost

Data type: Boolean

Whether to activate the default VirtualHost on the $listen port.

Default value: true

firewall

Data type: Boolean

Whether to use the SIMP iptables module.

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false, })

pki

Data type: Variant[Boolean,Enum['simp']]

• If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/simp_apache/x509
• If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/simp_apache/x509
• If false, do not include SIMP's pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:
  • app_pki_dir
  • app_pki_key
  • app_pki_cert
  • app_pki_ca
  • app_pki_ca_dir

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

app_pki_external_source

Data type: String

• If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

• If pki = false, this variable has no effect.

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

app_pki_dir

Data type: Stdlib::AbsolutePath

This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/simp_apache/pki.

Default value: '/etc/pki/simp_apps/simp_apache/x509'

app_pki_key

Data type: Stdlib::AbsolutePath

Path and name of the private SSL key file

Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"

app_pki_cert

Data type: Stdlib::AbsolutePath

Path and name of the public SSL certificate

Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"

app_pki_ca_dir

Data type: Stdlib::AbsolutePath

Path to the CA.

Default value: "${app_pki_dir}/cacerts"

haveged

Data type: Boolean

Whether to use the SIMP haveged module to assist with entropy generation.

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })

openssl_cipher_suite

Data type: Array[String]

The Cipher Suite the client is permitted to negotiate in the SSL handshake phase.

Default value: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT', '!MEDIUM'] })

ssl_protocols

Data type: Array[String]

This directive can be used to control which versions of the SSL/TLS protocol will be accepted in new connections.

Default value: ['TLSv1.2']

ssl_honor_cipher_order

Data type: Boolean

Option to prefer the server's cipher preference order.

Default value: true

sslverifyclient

Data type: String

This directive sets the Certificate verification level for the Client Authentication.

Default value: 'require'

sslverifydepth

Data type: Integer

This directive sets how deeply mod_ssl should verify before deciding that the clients don't have a valid certificate.

Default value: 10

simp_apache::validate

or limits ACLs

Defined types

simp_apache::site

It simply pulls a $name'd template from the templates/sites directory under the apache module, or somewhere else if you specify. The name should be 'something'.conf and should be an Apache includable configuration file.

Examples

site { 'public': }

Parameters

The following parameters are available in the simp_apache::site defined type:

• content

content

Data type: String

Set this to something other than 'base' if you with to write in your own custom content on the fly.

Default value: 'base'

Resource types

htaccess

Manages the contents of htaccess files using the htpasswd command. Right now the $namevar must be a path/user combination as documented under the $name parameter. Hopefully, this can be fixed in the future.

Note: If you want different permissions than root:root 640, you will need to create a 'file' object to manage the target file.

Properties

The following properties are available in the htaccess type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

password

The user's new password either as an SHA hash or as plain text. Anything not prefixed with {SHA} will be treated as plain text.

Parameters

The following parameters are available in the htaccess type.

• name
• provider

name

namevar

A variable of the format 'path:username'. This will hopefully be split in the future but, for now, you cannot use usernames that contain a colon ':'.

provider

The specific backend to use for this htaccess resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

Functions

simp_apache::auth

Type: Ruby 4.x API

Takes a hash of arguments related to Apache 'Auth' settings and returns a reasonably formatted set of options.

Currently, only htaccess and LDAP support are implemented.

Examples

Htaccess and LDAP authentication:

simp_apache::auth({
  # Htaccess support
  'file' => {
    'enable'    => 'true',
    'user_file' => '/etc/httpd/conf.d/test/.htdigest'
  }
  'ldap'    => {
    'enable'      => 'true',
    # The LDAP server URI in Apache form.
    'url'         => ['ldap://server1','ldap://server2'],
    # Must be one of 'NONE', 'SSL', 'TLS', or 'STARTTLS'
    'security'    => 'STARTTLS',
    'binddn'      => 'cn=happy,ou=People,dc=your,dc=domain',
    'bindpw'      => 'birthday',
    'search'      => 'ou=People,dc=your,dc=domain',
    # Whether or not your LDAP groups are POSIX groups.
    'posix_group' => 'true'
   }
 }
)

Output:
  AuthName "Please Authenticate"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthLDAPUrl "ldap://server1 server2/ou=People,dc=your,dc=domain" STARTTLS
  AuthLDAPBindDN "cn=happy,ou=People,dc=your,dc=domain',
  AuthLDAPBindPassword 'birthday'
  AuthLDAPGroupAttributeIsDN off
  AuthLDAPGroupAttribute memberUid
  AuthUserFile /etc/httpd/conf.d/elasticsearch/.htdigest

simp_apache::auth(Hash $auth_hash)

Takes a hash of arguments related to Apache 'Auth' settings and returns a reasonably formatted set of options.

Currently, only htaccess and LDAP support are implemented.

Returns: String Formatted Apache authentication settings

Examples

Htaccess and LDAP authentication:

simp_apache::auth({
  # Htaccess support
  'file' => {
    'enable'    => 'true',
    'user_file' => '/etc/httpd/conf.d/test/.htdigest'
  }
  'ldap'    => {
    'enable'      => 'true',
    # The LDAP server URI in Apache form.
    'url'         => ['ldap://server1','ldap://server2'],
    # Must be one of 'NONE', 'SSL', 'TLS', or 'STARTTLS'
    'security'    => 'STARTTLS',
    'binddn'      => 'cn=happy,ou=People,dc=your,dc=domain',
    'bindpw'      => 'birthday',
    'search'      => 'ou=People,dc=your,dc=domain',
    # Whether or not your LDAP groups are POSIX groups.
    'posix_group' => 'true'
   }
 }
)

Output:
  AuthName "Please Authenticate"
  AuthType Basic
  AuthBasicProvider ldap file
  AuthLDAPUrl "ldap://server1 server2/ou=People,dc=your,dc=domain" STARTTLS
  AuthLDAPBindDN "cn=happy,ou=People,dc=your,dc=domain',
  AuthLDAPBindPassword 'birthday'
  AuthLDAPGroupAttributeIsDN off
  AuthLDAPGroupAttribute memberUid
  AuthUserFile /etc/httpd/conf.d/elasticsearch/.htdigest

auth_hash

Data type: Hash

Hash containing desired Apache authentication methods and relevant parameters as key value pairs. The key is the authentication method, while the corresponding value is a Hash of relevant parameters.

simp_apache::limits

Type: Ruby 4.x API

Takes a hash of arguments related to Apache 'Limits' settings and returns a reasonably formatted set of options.

Currently, host, user ('valid-user' only), ldap-user, and ldap-group limits are supported. The hash keys for these are host limit: 'hosts' user limit: 'users'; only applies for 'valid-user', all others assumed LDAP users ldap-user limit: 'users' ldap-group limit: 'ldap_groups'

Groups of LDAP user primary groups are not supported since you would need to know the GID.

Examples

Host, user and ldap_group limits:

apache_limits(
  {
    # Set the defaults
    # If this is omitted, it just defaults to 'GET'.
    'defaults' => [ 'GET', 'POST', 'PUT' ],
    # Allow the hosts/subnets below to GET, POST, and PUT to ES.
    'hosts'  => {
      '1.2.3.4'     => 'defaults',
      '3.4.5.6'     => 'defaults',
      '10.1.2.0/24' => 'defaults'
    },
    # You can make a special user 'valid-user' that will translate to
    # allowing all valid users.
    'users'  => {
      # Allow user bob GET, POST, and PUT to ES.
      'bob'     => 'defaults',
      # Allow user alice GET, POST, PUT, and DELETE to ES.
      'alice'   => ['GET','POST','PUT','DELETE']
    },
    'ldap_groups' => {
       # Let the nice users read from ES.
       "cn=nice_users,ou=Group,${::basedn}" => 'defaults'
     }
  }
)

Output:
  <Limit DELETE>
    Order allow,deny
    Require user alice
    Satisfy any
  </Limit>

  <Limit GET>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 3.4.5.6
    Allow from 10.1.2.0/24
    Require ldap-user bob
    Require ldap-user alice
    Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
    Satisfy any
  </Limit>

  <Limit POST>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 3.4.5.6
    Allow from 10.1.2.0/24
    Require ldap-user bob
    Require ldap-user alice
    Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
    Satisfy any
  </Limit>

  <Limit PUT>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 3.4.5.6
    Allow from 10.1.2.0/24
    Require ldap-user bob
    Require ldap-user alice
    Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
    Satisfy any
  </Limit>

simp_apache::limits(Hash $limits_hash)

Takes a hash of arguments related to Apache 'Limits' settings and returns a reasonably formatted set of options.

Currently, host, user ('valid-user' only), ldap-user, and ldap-group limits are supported. The hash keys for these are host limit: 'hosts' user limit: 'users'; only applies for 'valid-user', all others assumed LDAP users ldap-user limit: 'users' ldap-group limit: 'ldap_groups'

Groups of LDAP user primary groups are not supported since you would need to know the GID.

Returns: String Formatted Apache limits settings

Examples

Host, user and ldap_group limits:

apache_limits(
  {
    # Set the defaults
    # If this is omitted, it just defaults to 'GET'.
    'defaults' => [ 'GET', 'POST', 'PUT' ],
    # Allow the hosts/subnets below to GET, POST, and PUT to ES.
    'hosts'  => {
      '1.2.3.4'     => 'defaults',
      '3.4.5.6'     => 'defaults',
      '10.1.2.0/24' => 'defaults'
    },
    # You can make a special user 'valid-user' that will translate to
    # allowing all valid users.
    'users'  => {
      # Allow user bob GET, POST, and PUT to ES.
      'bob'     => 'defaults',
      # Allow user alice GET, POST, PUT, and DELETE to ES.
      'alice'   => ['GET','POST','PUT','DELETE']
    },
    'ldap_groups' => {
       # Let the nice users read from ES.
       "cn=nice_users,ou=Group,${::basedn}" => 'defaults'
     }
  }
)

Output:
  <Limit DELETE>
    Order allow,deny
    Require user alice
    Satisfy any
  </Limit>

  <Limit GET>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 3.4.5.6
    Allow from 10.1.2.0/24
    Require ldap-user bob
    Require ldap-user alice
    Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
    Satisfy any
  </Limit>

  <Limit POST>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 3.4.5.6
    Allow from 10.1.2.0/24
    Require ldap-user bob
    Require ldap-user alice
    Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
    Satisfy any
  </Limit>

  <Limit PUT>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 3.4.5.6
    Allow from 10.1.2.0/24
    Require ldap-user bob
    Require ldap-user alice
    Require ldap-group cn=nice_users,ou=Group,dc=your,dc=domain
    Satisfy any
  </Limit>

limits_hash

Data type: Hash

Hash containing desired Apache limits

simp_apache::munge_httpd_networks

Type: Ruby 4.x API

Provides a method by which an array of networks can be properly formatted for an Apache Allow/Deny segment.

This handles the case of 0.0.0.0/0, which Apache doesn't care for and this function will convert to 'ALL'.

The case where a / is passed is also handled since Apache doesn't care for these at all.

simp_apache::munge_httpd_networks(Array $networks)

Provides a method by which an array of networks can be properly formatted for an Apache Allow/Deny segment.

This handles the case of 0.0.0.0/0, which Apache doesn't care for and this function will convert to 'ALL'.

The case where a / is passed is also handled since Apache doesn't care for these at all.

Returns: Array Array of network s formated appropriately for Apache

networks

Data type: Array

Array of networks to be converted to Apache format

Data types

Simp_apache::LogSeverity

Valid log serveries for Apache

Alias of Enum['emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug']

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 7.5.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 7.4.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 7.3.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 7.2.0

• Add RockyLinux 8 support

• Tue Jul 06 2021 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0

  • Fixed
    • Ensure that all file resources that manage more than permissions have an 'ensure' attribute - See PUP-7599
  • Changed
    • Moved the 'magic' file into an EPP template to work better with Bolt

• Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.1.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Fri Feb 26 2021 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2

• Use systemd to reload/restart the httpd service.
• Expanded simp/rsyslog dependendency range to < 9.0.0.

• Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.0.2

• Removed EL6 from supported OSes

• Thu Nov 05 2020 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.1-0

• Default to only TLS1.2

• Thu Jan 16 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.0.0-0

• Update Puppet module to support EL8
• Remove deprecated Puppet 3 API functions:
  • apache_auth: replaced by simp_apache::auth
  • apache_limits: replaced by simp_apache::limits
  • munge_httpd_networks: replaced by simp_apache::munge_httpd_networks
• Update the upper bound of simp-simplib to < 5.0.0

• Wed Jul 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0

• Split out service management into a simp_apache::service class
• Provide users with a Hiera-driveable option to not manage the service
• Add REFERENCE.md

• Wed Jul 17 2019 Robert Vincent pillarsdotnet@gmail.com - 6.2.0-0

• Ensure that the simp_apache::munge_httpd_networks does not attempt to modify passed parameters.

• Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 6.2.0-0

• Add v2 compliance_markup data
• Drop support for Puppet 4
• Add support for Puppet 6
• Add support for puppetlabs-stdlib 6

• Mon Mar 25 2019 Jim Anderson thesemicolons@protonmail.com - 6.1.3-0

• Added command to force purging of the conf/ and conf.d/ folders in /etc/httpd.

• Thu Mar 21 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.1.2-0

• Removed unnecessary bracketize function

• Wed Feb 13 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0

• Use simplib::passgen() in lieu of passgen(), a deprecated simplib Puppet 3 function.
• Use simplib::nets2cidr in simp_apache::munge_httpd_networks in in lieu of nets2cidr(), a deprecated simplib Puppet 3 function.
• Use simplib::ipaddresses in lieu of ipaddresses(), a deprecated simplib Puppet 3 function.
• Update the upper bound of stdlib to < 6.0.0
• Update a URL in the README.md

• Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0

• Added $package_ensure parameters to simp_apache::install
  • $httpd_ensure $mod_ldap_ensure $mod_ssl_ensure
  • Changed the package from 'latest' to 'installed'
  • Each ensure parameter will also respect simp_options::package_ensure
• Update badges and contribution guide URL in README.md

• Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0

• Drop Hiera 4 support

• Wed Sep 05 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.1.0-0

• Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.

• Tue Jul 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0

• Support for Puppet5/OEL
• fixed htaccess tests for Gitlab

• Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 6.0.2-0

• Update systemd fixtures and CI assets
• Update version range of auditd dependency in metadata.json

• Mon Apr 16 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.2-0

• set owned to simp_apache::user instead of simp_apache group on configuration files.
• remove simpcat as dependency
• cleaned up fixtures file

• Thu Jun 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0

• Create namespaced, Puppet 4 versions of externally-used Puppet 3 functions and mark the Puppet 3 functions as deprecated. They will be removed in a later release.
• apache_auth should be replaced with simp_apache::auth
• apache_limits should be replaced with simp_apache::limits
• munge_httpd_networks should be replaced with simp_apache::munge_httpd_networks
• Update puppet requirement and remove OBE pe requirement in metadata.json

• Mon Jan 23 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0

• Fixed dependency logic with mod_ldap to not install it on CentOS 7
• Rsyslog calls no longer include implied logic
• Rsync now calls the correct share

• Tue Jan 17 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• simp_apache::site now includes simp_apache

• Tue Jan 10 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated pki scheme
• Application certs are managed in /etc/pki/simp_apps/simp_apache/x509

• Fri Dec 30 2016 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0

• Renamed add_site to site
• Strongly typed module
• Updated module assets
• Wrote a basic class acceptance test

• Wed Dec 07 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

• Updated catalysts to take defaults from simp_options

• Thu Dec 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Updated to use the environment-aware rsync in SIMP 6

• Thu Dec 01 2016 Nicholas Hughes, Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0

• Prevent log duplication and log where intended
• Changed naming to XX or YY to come before the default Z_default.conf for local rules, but after the numbered configs used by the log_server class.

• Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0

• update requirement versions

• Fri Nov 18 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0

• Updated to compliance_markup version 2

• Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Updated iptables dependency version

• Fri Nov 11 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

• Fixed bug in which htaccess type would fail to compile as it required 'sha1' instead of 'digest/sha1'
• Fixed bug in which htaccess provider dropped the first line of an existing htaccess file, when that line did not contain the Puppet-management warning comment.
• Eliminated use of deprecated Puppet.newtype

• Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Deconflict with the puppetlabs-apache module and move to the name 'simp_apache'

• Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.6-0

• Fix Forge haveged dependency name

• Tue Jul 19 2016 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 4.1.5-0

• Add default Require to apache_limits() output

• Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.4-0

• Haveged included by default for entropy generation.

• Sun May 22 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0

• Ensure that PKI certificates that are downloaded without using simp::pki are copied recursively.

• Thu Apr 14 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.2-0

• Ensure that the munge_httpd_networks array is flattened on return. This is a Ruby 1.9 compatiblity issue.

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-0

• Migrated use_simp_pki to a global catalyst.

• Tue Mar 01 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-21

• Added compliance function support

• Tue Jan 26 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-20

• Normalized common static module assets

• Thu Jan 07 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-19

• Updated to correct some ordering issues.

• Thu Nov 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-18

• Updated to switch from 'lsb' facts to 'operatingsystem' facts for environments that don't install the LSB packages.

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-17

• migration to simplib and simpcat (lib/ only)

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-16

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-15

• Changed puppet-server requirement to puppet

• Mon Dec 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-14

• Updated the templates to use mod_version instead of custom apache_version fact.
• Ensure that mod_ldap in installed by default on TC versions > 5.0.
• Properly scoped all custom function definitions.

• Thu Dec 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13

• Updated to properly handle the SSL protocols in Apache. We now add a
  • if one is warranted and just keep the entry if it starts with a + a minus or is 'all'.

• Fri Oct 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12

• CVE-2014-3566: Updated protocols to mitigate POODLE.

• Mon Sep 08 2014 Trevor Vaughan tvaughan@onyxpoint.com 4.1.0-11

• Properly confined the apache_version fact.
• Updated the apache::validate hash to not include booleans. They are not allowed on the left hand side of the comparison hash.

• Tue Aug 26 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-10

• Fixed the apache_version fact to return unkown when Apache is not installed.

• Tue Jul 29 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Fix munge_httpd_networks
• Updated to use /var/www for SIMP>=5

• Mon Jul 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Updated munge_httpd_networks to strip out entries that are blank or nil.

• Mon Jun 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Fixed SELinux check for when selinux_current_mode is not found.
• RHEL7 compatiblity updates
• Added a fact, 'apache_version', to allow for minute differences between the 2.2 and 2.4 versions of Apache

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-8

• Removed MD5 file checksums for FIPS compliance.

• Fri Jun 13 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-7

• Unbound apache package from service to fix ordering in bootstrap

• Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-6

• Updated cipher set in SSL to be an array instead of a string.

• Wed Apr 30 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Removed all references to $::primary_ipaddress and replaced them with a collection of all local IP addresses in the ERB files.

• Tue Apr 29 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-5

• Updated apache_limits required directives from core to mod_authnz_ldap, by changing Require user/group "foo" to Require ldap-user/group foo.

• Mon Apr 14 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

• Removed the ks and yum sites and moved them into the simp module.
• Removed the runpuppet templated and moved it into the simp module.

• Fri Apr 04 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-4

• Selinux booleans now set if mode != disabled

• Wed Mar 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Removed the apache_syslog script and replaced all calls with calls to logger for scalability.
• Updated the munge_httpd_networks function to call nets2cidr where appropriate and accept pretty much everything else since Apache can take so many different options.
• Removed the broken PKI copy code and call the new pki::copy define.

• Fri Mar 14 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Re-added the ability to have Apache log via syslog directly.
• Removed the passgen template and replaced it with a call to the passgen function.

• Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Ensure that apache::conf::allowroot defaults to ['127.0.0.1','::1']
• Small amounts of cleanup to start complying with the PL coding standards.
• Added management of the $data_dir (/srv/www) to the ::apache class. This removes it from floating in the manifests space.
• Modified the apache restart script to do a reload and then restart if that fails. This should ensure minimal downtime of all running apps.
• Updated the runpuppet script to ensure that the clients will properly use the new variables and that servers can kick other servers.
• Update to runpuppet to ensure that the first run of puppet has a waitforcert to allow for manual certificate signing. Submission from Lab76.org.

• Thu Jan 09 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Updated the runpuppet init script such that it will remain on the system but in a completely disabled state.

• Tue Nov 12 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• Restructured the entire apache module to be hiera friendly.
• Eliminated all singleton defines.
• Added the ability to use a custom PKI source and not use the SIMP source.
• Added toggles for all SIMP specific items.

• Thu Oct 03 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-14

• Updated all erb templates to properly scope variables.

• Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-14

• Use versioncmp for all version comparisons.

• Wed Sep 11 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0-13

• Added an apache::validate class that currently supports the apache_auth material but could be used to hold other values.
• Added an apache_limits function which takes a hash of options and returns a formatted set of 'Limit' statements suitable for direct insertion into an Apache configuration.
• Added an apache_auth function which takes a hash of options and returns a formatted segment of Apache auth sections. Currently supports 'file' (htpasswd) and 'ldap'.

• Thu May 02 2013 Trevor Vaughan tvaughan@onyxpoint.com 4.0-12

• Work performed jointly with Kendall Moore kmoore@keywcorp.com
• Named properly switches between chroot and non-chroot versions based on whether or not SELinux is enforcing.

• Mon Feb 25 2013 Maintenance 4.0-12

• Added a call to $::rsync_timeout to the rsync call since it is now required.

• Wed Feb 20 2013 Maintenance 4.0-11

• Updated the ssl.conf and httpd.conf templates because function calls require an argument of an array rather than allowing for single string arguments.

• Fri Jan 04 2013 Maintenance 4.0-10

• Added a custom function 'munge_httpd_networks' that will accept an array, or string, and return an array of translated network addresses. At this time, the only translation is from 0.0.0.0* to 'ALL' since apache really doesn't like 0.0.0.0/0.

• Mon Oct 22 2012 Maintenance 4.0-9

• Updated the runpuppet script to not log remotely during the puppet runs so that large numbers of spawning client won't kill the master.

• Wed Oct 03 2012 Maintenance 4.0.0-8

• Added a sleep statement after the reboot in the runpuppet script to keep it other startup scripts from continuing.

• Thu Jul 05 2012 Maintenance 4.0.0-7

• Cleaned up the yum and ks templates.
• Added the Option +Indexes to the yum and ks configurations. This allows for browsing of the yum repositories which is important for virt-manager and other kickstart utilities.

• Thu Jun 07 2012 Maintenance 4.0.0-6

• Ensure that Arrays in templates are flattened.
• Call facts as instance variables.
• Moved mit-tests to /usr/share/simp...
• Updated to work with IPv6 addresses.
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 4.0.0-5

• Improved test stubs.

• Mon Feb 13 2012 Maintenance 4.0-4

• Added the ability for the apache user to be in multiple groups.

• Fri Dec 23 2011 Maintenance 4.0-3

• Added an initial set of tests.
• Scoped all of the top level variables.
• Modified the runpuppet template so that it properly detects the system's status as a master.
• Replaced instances of 'ipaddress' with 'primary_ipaddress'

• Sat Nov 19 2011 Maintenance 4.0-2

• Moved the 'domain' entries after the ip addresses so that DNS lookups would happen last.

• Fri Aug 12 2011 Maintenance 4.0-1

• Added support for a variable 'ks_ntp_servers' which will override the 'ntp_servers' variable from vars.pp inside of runpuppet.erb.
• Ensure that the '-b' option is passed to ntpdate in runpuppet.erb.

• Tue Jul 12 2011 Maintenance 4.0-0

• Added a variable $runpuppet_print_stats to runpuppet.erb that will enable --evaltrace and --summarize if set to 'true'.
• Updated the htaccess type to properly work with Puppet >= 2.6
• Made some RHEL6 specific compatibilty changes.
• Added additional tags to the puppet runs in runpuppet.

• Mon Apr 18 2011 Maintenance - 2.0.0-3

• Changed puppet://$puppet_server/ to puppet:///
• The dhcp module now expects to have an associated rsync space that is password protected.
• Added comments to apache::ssl::setup to note that users will need to manage their own service restarts if they use alternate certificates.
• Ensure that apache restarts if any part of the certificte space is changed.
• Additional options have been added to the SSL configuration for flexibility.
• Removed Ganglia related material.
• Remove welcome.conf on the systems.
• Updated to use syslog by default.

• Fri Feb 04 2011 Maintenance - 2.0.0-2

• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Bug fix in the puppet_passenger template to ensure that PassengerMaxPoolSize is not set to 0 and also accounts for other units coming back from Facter.
• Converted to using rsync native type

2.0.0-1

• Added 'Allow from' to ganglia site template.
• Updated default values for number of passenger instances
• Updated default values for MaxClients and ServerLimit
• Updated runpuppet to use --no-splay
• Updated default value of purge in httpd_conf to false

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Fri Jan 7 2011 Maintenance - 1.0-6

• Now ensure that the apache rsync does not delete the underlying files. This turned out to be a poor initial design decision.
• Fixed bug that causes the apache rsync space to never be retrieved.
• Updated passenger template to use correct rubylib path
• Added a httpd_conf $purge variable that translates into whether or not to remove anything that we don't have in rsync.

• Wed Jan 5 2011 Maintenance - 2.0.0

• Updated for the simp 2.0.0-alpha release
• Fixed bug causing apache rsync space to never be retrieved.

• Mon Dec 6 2010 Maintenance - 1.0-5

• Added the ability to modify the main user/group that apache runs as. The group of all component files is still set to 'apache' so you'll need to take that into account when you configure your site files.
• Added Ganglia Site

• Thu Oct 28 2010 Maintenance - 1.0-4

• Modified puppet_mongrel template to use revocation file.

• Tue Oct 26 2010 Maintenance - 1.0-3

• Converting all spec files to check for directories prior to copy.

• Thu Aug 12 2010 Maintenance 1.0-2

• runpuppet.erb now redirects all output to the log file and runs in verbose mode.

• Wed Jul 21 2010 Maintenance 1.0-1

• More refactoring.

• Wed Jun 02 2010 Maintenance 1.0-0

• CRLs now work properly.
• Passenger listens on 8140 and 8141 by default.
• Improved puppet_passenger template.
• Now point the certs in the mongrel and passenger templates at the local CA certs, not the CA server certs.
• Code refactor.

• Thu Apr 29 2010 Maintenance 0.1-24

• Changed operatingsystemrelease to lsbmajdistrelease since RHEL5.5 shows as 5.5 and not 5.

• Wed Mar 17 2010 Maintenance 0.1-23

• Added a small sleep to the apache restart that prevents a race condition caused by calling 'service httpd restart' just after 'service httpd stop'

• Thu Jan 28 2010 Maintenance 0.1-22

• Fixed a bug with the format of the puppet command variable in runpuppet.
• The script now executes cleanly out of the box.

• Thu Jan 14 2010 Maintenance 0.1-21

• Added 'TraceEnable off' to the default httpd.conf.

• Tue Dec 15 2009 Maintenance 0.1-20

• Add a yum clean all prior to running the puppetd run in runpuppet.

• Thu Nov 05 2009 Maintenance 0.1-19

• Prevent the runpuppet script from printing diff information to the logs.