openstack/puppet-openstacklib
Code Issues Proposed changes
0d807bc375
puppet-openstacklib/manifests/wsgi/apache.pp
Takashi Kajinami e61fb1e4e2 apache: Add support for RequestHeader statements 
This change introduces the new parameter to override
the apache::vhost::request_headers parameter, which is used to define
RequestHeader statements in vhost configuration.

Change-Id: I360b18acdf974bf3cdc9f8e817b66cd85f116afd
2021-12-09 01:19:11 +00:00

400 lines
13 KiB
Puppet
Raw Blame History

#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Author: Emilien Macchi <emilien.macchi@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: openstacklib::wsgi::apache
#
# Serve a service with apache mod_wsgi
# When using this class you should disable your service.
#
# == Parameters
#
# [*service_name*]
# (Optional) Name of the service to run.
# Example: nova-api
# Defaults to $name
#
# [*servername*]
# (Optional) The servername for the virtualhost
# Defaults to $::fqdn
#
# [*bind_host*]
# (Optional) The host/ip address Apache will listen on.
# Defaults to undef (listen on all ip addresses)
#
# [*bind_port*]
# (Optional) The port to listen.
# Defaults to undef
#
# [*group*]
# (Optional) Group with permissions on the script.
# Defaults to undef
#
# [*path*]
# (Optional) The prefix for the endpoint.
# Defaults to '/'
#
# [*priority*]
# (Optional) The priority for the vhost.
# Defaults to '10'
#
# [*setenv*]
# (Optional) Set environment variables for the vhost.
# Defaults to []
#
# [*ssl*]
# (Optional) Use SSL.
# Defaults to false
#
# [*ssl_cert*]
# (Optional) Path to SSL certificate.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_key*]
# (Optional) Path to SSL key.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_verify_client*]
# (Optional) Sets the SSLVerifyClient directive which sets the
# certificate verification level for client authentication.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_chain*]
# (Optional) SSL chain.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_ca*]
# (Optional) Path to SSL certificate authority.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_crl_path*]
# (Optional) Path to SSL certificate revocation list.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_crl*]
# (Optional) SSL certificate revocation list name.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_certs_dir*]
# (Optional) Path to SSL certificate directory
# Default to apache::vhost 'ssl_*' defaults
#
# [*threads*]
# (Optional) The number of threads for the vhost.
# Defaults to 1
#
# [*user*]
# (Optional) User with permissions on the script
# Defaults to undef
#
# [*workers*]
# (Optional) The number of workers for the vhost.
# Defaults to $::os_workers
#
# [*wsgi_daemon_process*]
# (Optional) Name of the WSGI daemon process.
# Defaults to $name
#
# [*wsgi_process_display_name*]
# (Optional) Name of the WSGI process display-name.
# Defaults to $name
#
# [*wsgi_process_group*]
# (Optional) Name of the WSGI process group.
# Defaults to $name
#
# [*wsgi_script_dir*]
# (Optional) The directory path of the WSGI script.
# Defaults to undef
#
# [*wsgi_script_file*]
# (Optional) The file path of the WSGI script.
# Defaults to undef
#
# [*wsgi_script_source*]
# (Optional) The source of the WSGI script.
# Defaults to undef
#
# [*wsgi_application_group*]
# (Optional) The application group of the WSGI script.
# Defaults to '%{GLOBAL}'
#
# [*wsgi_pass_authorization*]
# (Optional) Whether HTTP authorisation headers are passed through to a WSGI
# script when the equivalent HTTP request headers are present.
# Defaults to undef
#
# [*wsgi_chunked_request*]
# (Optional) Makes the vhost allow chunked requests which is useful for
# handling TE (Transfer-Encoding), chunked or gzip. This sets the
# WSGIChunkedRequest option in the vhost.
# Defaults to undef
#
# [*set_wsgi_import_script*]
# (Optional) Enable WSGIImportScript.
# Defaults to false
#
# [*wsgi_import_script*]
# (Optional) WSGIImportScript path.
# Defaults to undef
# If not set and set_wsgi_import_script is true, defaults to the WSGI
# application module path
#
# [*wsgi_import_script_options*]
# (Optional) Sets WSGIImportScript options.
# Defaults to undef
# If not set and set_wsgi_import_script is true, push a dict as follow:
# {
# process-group => $wsgi_daemon_process,
# application-group => $wsgi_application_group,
# }
#
# [*headers*]
# (Optional) Headers for the vhost.
# Defaults to undef
#
# [*request_headers*]
# (Optional) Modifies collected request headers in various ways.
# Defaults to undef
#
# [*aliases*]
# (Optional) Aliases for the vhost.
# Defaults to undef
#
# [*custom_wsgi_process_options*]
# (Optional) gives you the oportunity to add custom process options or to
# overwrite the default options for the WSGI process.
# eg. to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to {}
#
# [*custom_wsgi_script_aliases*]
# (Optional) Pass a hash with any extra WSGI script aliases that you want
# to load for the same vhost, this is then combined with the default
# script alias built usin $path, $wsgi_script_dir and $wsgi_script_file.
# Defaults to undef
#
# [*vhost_custom_fragment*]
# (Optional) Passes a string of custom configuration
# directives to be placed at the end of the vhost configuration.
# Defaults to undef
#
# [*allow_encoded_slashes*]
# (Optional) If set, uses apache's AllowEncodedSlashes option in the vhost.
# This option is passed to puppetlabs-apache, which accepts only 4
# options: undef, "on", "off" or "nodecode". This is thus validated in the
# underlying vhost resource.
# Defaults to undef
#
# [*access_log_file*]
# (Optional) The log file name for the virtualhost.
# access_log_file and access_log_pipe is mutually exclusive.
# Defaults to false
#
# [*access_log_pipe*]
# (Optional) Specifies a pipe where Apache sends access logs for the virtualhost.
# access_log_file and access_log_pipe is mutually exclusive.
# Defaults to false
#
# [*access_log_syslog*]
# (Optional) Sends the virtualhost access log messages to syslog.
# Defaults to false
#
# [*access_log_format*]
# (Optional) The log format for the virtualhost.
# Defaults to false
#
# [*error_log_file*]
# (Optional) The error log file name for the virtualhost.
# error_log_file and error_log_pipe is mutually exclusive.
# Defaults to undef
#
# [*error_log_pipe*]
# (Optional) Specifies a pipe where Apache sends error logs for the virtualhost.
# error_log_file and error_log_pipe is mutually exclusive.
# Defaults to undef
#
# [*error_log_syslog*]
# (Optional) Sends the virtualhost error log messages to syslog.
# Defaults to undef
#
define openstacklib::wsgi::apache (
$service_name = $name,
$servername = $::fqdn,
$bind_host = undef,
$bind_port = undef,
$group = undef,
$path = '/',
$priority = '10',
$setenv = [],
$ssl = false,
$ssl_ca = undef,
$ssl_cert = undef,
$ssl_certs_dir = undef,
$ssl_chain = undef,
$ssl_crl = undef,
$ssl_crl_path = undef,
$ssl_key = undef,
$ssl_verify_client = undef,
$threads = 1,
$user = undef,
$workers = $::os_workers,
$wsgi_daemon_process = $name,
$wsgi_process_display_name = $name,
$wsgi_process_group = $name,
$wsgi_script_dir = undef,
$wsgi_script_file = undef,
$wsgi_script_source = undef,
$wsgi_application_group = '%{GLOBAL}',
$wsgi_pass_authorization = undef,
$wsgi_chunked_request = undef,
$set_wsgi_import_script = false,
$wsgi_import_script = undef,
$wsgi_import_script_options = undef,
$headers = undef,
$request_headers = undef,
$aliases = undef,
$custom_wsgi_process_options = {},
$custom_wsgi_script_aliases = undef,
$vhost_custom_fragment = undef,
$allow_encoded_slashes = undef,
$access_log_file = false,
$access_log_pipe = false,
$access_log_syslog = false,
$access_log_format = false,
$error_log_file = undef,
$error_log_pipe = undef,
$error_log_syslog = undef,
) {
include apache
include apache::mod::wsgi
if $ssl {
include apache::mod::ssl
}
# Ensure there's no trailing '/' except if this is also the only character
$path_real = regsubst($path, '(^/.*)/$', '\1')
if !defined(File[$wsgi_script_dir]) {
file { $wsgi_script_dir:
ensure => directory,
owner => $user,
group => $group,
mode => '0755',
}
}
file { $service_name:
ensure => file,
links => follow,
path => "${wsgi_script_dir}/${wsgi_script_file}",
source => $wsgi_script_source,
owner => $user,
group => $group,
mode => '0644',
}
$wsgi_daemon_process_options = merge (
{
user => $user,
group => $group,
processes => $workers,
threads => $threads,
display-name => $wsgi_process_display_name,
},
$custom_wsgi_process_options,
)
$wsgi_script_aliases_default = hash([$path_real,"${wsgi_script_dir}/${wsgi_script_file}"])
if $custom_wsgi_script_aliases {
$wsgi_script_aliases_real = merge($wsgi_script_aliases_default, $custom_wsgi_script_aliases)
} else {
$wsgi_script_aliases_real = $wsgi_script_aliases_default
}
# Sets WSGIImportScript related options
if $set_wsgi_import_script {
if $wsgi_import_script {
$wsgi_import_script_real = $wsgi_import_script
} else {
$wsgi_import_script_real = $wsgi_script_aliases_real[$path_real]
}
if $wsgi_import_script_options {
$wsgi_import_script_options_real = $wsgi_import_script_options
} else {
$wsgi_import_script_options_real = {
process-group => $wsgi_daemon_process,
application-group => $wsgi_application_group,
}
}
} else {
$wsgi_import_script_real = undef
$wsgi_import_script_options_real = undef
}
# End of WSGIImportScript related options
::apache::vhost { $service_name:
ensure => 'present',
servername => $servername,
ip => $bind_host,
port => $bind_port,
docroot => $wsgi_script_dir,
docroot_owner => $user,
docroot_group => $group,
priority => $priority,
setenv => $setenv,
setenvif => ['X-Forwarded-Proto https HTTPS=1'],
ssl => $ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_verify_client => $ssl_verify_client,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
wsgi_daemon_process => hash([$wsgi_daemon_process, $wsgi_daemon_process_options]),
wsgi_process_group => $wsgi_process_group,
wsgi_script_aliases => $wsgi_script_aliases_real,
wsgi_application_group => $wsgi_application_group,
wsgi_pass_authorization => $wsgi_pass_authorization,
wsgi_chunked_request => $wsgi_chunked_request,
wsgi_import_script => $wsgi_import_script_real,
wsgi_import_script_options => $wsgi_import_script_options_real,
headers => $headers,
request_headers => $request_headers,
aliases => $aliases,
custom_fragment => $vhost_custom_fragment,
allow_encoded_slashes => $allow_encoded_slashes,
access_log_file => $access_log_file,
access_log_pipe => $access_log_pipe,
access_log_syslog => $access_log_syslog,
access_log_format => $access_log_format,
error_log_file => $error_log_file,
error_log_pipe => $error_log_pipe,
error_log_syslog => $error_log_syslog,
options => ['-Indexes', '+FollowSymLinks','+MultiViews'],
}
Package<| title == 'httpd' |>
~> File<| title == $wsgi_script_dir |>
~> File<| title == $service_name |>
~> Apache::Vhost<| title == $service_name |>
}
View Git Blame Copy Permalink