Merge pull request puppetlabs#1570 from bmjen/rel-prep

Release 1.11.0 Prep

Author: hunner

CHANGELOG.md

@@ -1,3 +1,73 @@
+## Supported Release 1.11.0
+#### Summary
+This release adds SLES12 Support and many more features and bugfixes.
+
+#### Features
+- (MODULES-4049) Adds SLES 12 Support
+- Adds additional directories options for LDAP Auth
+  - `auth_ldap_url`
+  - `auth_ldap_bind_dn`
+  - `auth_ldap_bind_password`
+  - `auth_ldap_group_attribute`
+  - `auth_ldap_group_attribute_is_dn`
+- Allows `mod_event` parameters to be unset
+- Allows management of default root directory access rights
+- Adds class `apache::vhosts` to create apache::vhost resources
+- Adds class `apache::mod::proxy_wstunnel`
+- Adds class `apache::mod::dumpio`
+- Adds class `apache::mod::socache_shmcb`
+- Adds class `apache::mod::authn_dbd`
+- Adds support for apache 2.4 on Amazon Linux
+- Support the newer `mod_auth_cas` config options
+- Adds `wsgi_script_aliases_match` parameter to `apache::vhost`
+- Allow to override all SecDefaultAction attributes
+- Add audit_log_relevant_status parameter to apache::mod::security
+- Allow absolute path to $apache::mod::security::activated_rules
+- Allow setting SecAuditLog
+- Adds `passenger_max_instances_per_app` to `mod::passenger`
+- Allow the proxy_via setting to be configured
+- Allow no_proxy_uris to be used within proxy_pass
+- Add rpaf.conf template parameter to `mod::rpaf`
+- Allow user to specify alternative package and library names for shibboleth module
+- Allows configuration of shibboleth lib path
+- Adds parameter `passenger_data_buffer_dir` to `mod::passenger`
+- Adds SSL stapling 
+- Allows use of `balance_manager` with `mod_proxy_balancer`
+- Raises lower bound of `stdlib` dependency to version 4.2
+- Adds support for Passenger repo on Amazon Linux
+- Add ability to set SSLStaplingReturnResponderErrors on server level 
+- (MODULES-4213) Allow global rewrite rules inheritance in vhosts
+- Moves `mod_env` to its own class and load it when required
+
+#### Bugfixes
+- Deny access to .ht and .hg, which are created by mercurial hg.
+- Instead of failing, include apache::mod::prefork in manifests/mod/itk.pp instead.
+- Only set SSLCompression when it is set to true.
+- Remove duplicate shib2 hash element
+- (MODULES-3388) Include mpm_module classes instead of class declaration
+- Updates `apache::balancer` to respect `apache::confd_dir`
+- Wrap mod_security directives in an IfModule
+- Fixes to various mods for Ubuntu Xenial
+- Fix /etc/modsecurity perms to match package
+- Fix PassengerRoot under Debian stretch
+- (MODULES-3476) Updates regex in apache_version custom fact to work with EL5
+- Dont sql_injection_attacks.data
+- Add force option to confd file resource to purge directory without warnings
+- Patch httpoxy through mod_security
+- Fixes config ordering of IncludeOptional
+- Fixes bug where port numbers were unquoted
+- Fixes bug where empty servername for vhost were written to template
+- Auto-load `slotmem_shm` and `lbmethod_byrequests` with `proxy_balancer` on 2.4
+- Simplify MPM setup on FreeBSD
+- Adds requirement for httpd package
+- Do not set ssl_certs_dir on FreeBSD
+- Fixes bug that produces a duplicate `Listen 443` after a package update on EL7
+- Fixes bug where custom facts break structured facts
+- Avoid relative classname inclusion
+- Fixes a failure in `vhost` if the first element of `$rewrites` is not a hash
+- (MODULES-3744) Process $crs_package before $modsec_dir
+- (MODULES-1491) Adds `::apache` include to mods that need it
+
 ## Supported Release 1.10.0
 #### Summary
 This release fixes backwards compatibility bugs introduced in 1.9.0. Also includes a new mod class and a new vhost feature.

Gemfile

@@ -47,6 +47,8 @@ group :development do
   gem 'rubocop-rspec', '~> 1.6',            :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')
   gem 'pry',                                :require => false
   gem 'json_pure', '<= 2.0.1',              :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
+  gem 'fast_gettext', '1.1.0',              :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
+  gem 'fast_gettext',                       :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
 end
 
 group :system_tests do

README.md

@@ -166,6 +166,7 @@
 [`mod_dbd`]: http://httpd.apache.org/docs/current/mod/mod_dbd.html
 [`mod_disk_cache`]: https://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html
 [`mod_dumpio`]: https://httpd.apache.org/docs/2.4/mod/mod_dumpio.html
+[`mod_env`]: http://httpd.apache.org/docs/current/mod/mod_env.html
 [`mod_expires`]: https://httpd.apache.org/docs/current/mod/mod_expires.html
 [`mod_ext_filter`]: https://httpd.apache.org/docs/current/mod/mod_ext_filter.html
 [`mod_fcgid`]: https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
@@ -323,6 +324,8 @@ class { 'apache':
 }
 ```
 
+> **Note**: When `default_vhost` is set to `false` you have to add at least one `apache::vhost` resource or Apache will not start.
+
 ## Usage
 
 ### Configuring virtual hosts
@@ -931,6 +934,8 @@ Configures a default virtual host when the class is declared. Valid options: Boo
 
 To configure [customized virtual hosts][Configuring virtual hosts], set this parameter's value to false.
 
+> **Note**: Apache will not start without at least one virtual host. If you set this to false be sure to configure one elsewhere.
+
 ##### `dev_packages`
 
 Configures a specific dev package to use. Valid options: A string or array of strings. Default: Depends on the operating system.
@@ -1369,6 +1374,7 @@ The following Apache modules have supported classes, many of which allow for par
 * `dir`\*
 * `disk_cache` (see [`apache::mod::disk_cache`][])
 * `dumpio` (see [`apache::mod::dumpio`][])
+* `env`
 * `event` (see [`apache::mod::event`][])
 * `expires`
 * `ext_filter` (see [`apache::mod::ext_filter`][])
@@ -2891,6 +2897,35 @@ apache::vhost { 'site.name.fdqn':
 
 Refer to the [`mod_rewrite` documentation][`mod_rewrite`] for more details on what is possible with rewrite rules and conditions.
 
+##### `rewrite_inherit`
+
+Determines whether the virtual host inherits global rewrite rules. Default: false.
+
+Rewrite rules may be specified globally (in `$conf_file` or `$confd_dir`) or inside the virtual host `.conf` file. By default, virtual hosts do not inherit global settings. To activate inheritance, specify the `rewrites` parameter and set `rewrite_inherit` parameter to `true`:
+
+``` puppet
+apache::vhost { 'site.name.fdqn':
+  …
+  rewrites => [
+    <rules>,
+  ],
+  rewrite_inherit => true,
+}
+```
+
+> **Note**: The `rewrites` parameter is **required** for this to have effect
+
+###### Some background
+
+Apache activates global `Rewrite` rules inheritance if the virtual host files contains the following directives:
+
+``` ApacheConf
+RewriteEngine On
+RewriteOptions Inherit
+```
+
+Refer to the [official `mod_rewrite` documentation](https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html), section "Rewriting in Virtual Hosts".
+
 ##### `scriptalias`
 
 Defines a directory of CGI scripts to be aliased to the path '/cgi-bin', such as '/usr/scripts'. Default: undef.

manifests/default_mods.pp

@@ -152,7 +152,7 @@
     include ::apache::mod::authz_user
 
     ::apache::mod { 'authz_groupfile': }
-    ::apache::mod { 'env': }
+    include ::apache::mod::env
   } elsif $mods {
     ::apache::default_mods::load { $mods: }
 

manifests/mod/env.pp

@@ -0,0 +1,3 @@
+class apache::mod::env {
+  ::apache::mod { 'env': }
+}

manifests/vhost.pp

@@ -103,6 +103,7 @@
   $rewrite_base                = undef,
   $rewrite_rule                = undef,
   $rewrite_cond                = undef,
+  $rewrite_inherit             = false,
   $setenv                      = [],
   $setenvif                    = [],
   $setenvifnocase              = [],
@@ -539,11 +540,19 @@
     }
   }
 
+  # Check if mod_env is required and not yet loaded.
+  # create an expression to simplify the conditional check
+  $use_env_mod = $setenv and ! empty($setenv)
+  if ($use_env_mod) {
+    if ! defined(Class['apache::mod::env']) {
+      include ::apache::mod::env
+    }
+  }
   # Check if mod_setenvif is required and not yet loaded.
   # create an expression to simplify the conditional check
-  $use_setenv_mod = ($setenv and ! empty($setenv)) or ($setenvif and ! empty($setenvif)) or ($setenvifnocase and ! empty($setenvifnocase))
+  $use_setenvif_mod = ($setenvif and ! empty($setenvif)) or ($setenvifnocase and ! empty($setenvifnocase))
 
-  if ($use_setenv_mod) {
+  if ($use_setenvif_mod) {
     if ! defined(Class['apache::mod::setenvif']) {
       include ::apache::mod::setenvif
     }
@@ -907,7 +916,7 @@
   # Template uses:
   # - $setenv
   # - $setenvif
-  if ($use_setenv_mod) {
+  if ($use_env_mod or $use_setenvif_mod) {
     concat::fragment { "${name}-setenv":
       target  => "${priority_real}${filename}.conf",
       order   => 220,

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-apache",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "author": "puppetlabs",
   "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.",
   "license": "Apache-2.0",
@@ -55,7 +55,8 @@
     {
       "operatingsystem": "SLES",
       "operatingsystemrelease": [
-        "11 SP1"
+        "11 SP1",
+        "12"
       ]
     },
     {

spec/acceptance/default_mods_spec.rb

@@ -34,12 +34,18 @@ class { 'apache':
           default_mods => false,
         }
         apache::vhost { 'defaults.example.com':
-          docroot => '#{$doc_root}/defaults',
-          aliases => {
+          docroot     => '#{$doc_root}/defaults',
+          aliases     => {
             alias => '/css',
             path  => '#{$doc_root}/css',
           },
-          setenv  => 'TEST1 one',
+          directories => [
+	        {
+              'path'            => "#{$doc_root}/admin",
+              'auth_basic_fake' => 'demo demopass',
+            }
+          ],
+          setenv      => 'TEST1 one',
         }
       EOS
 

spec/defines/vhost_spec.rb

@@ -343,6 +343,7 @@
           'rewrite_base'                => '/',
           'rewrite_rule'                => '^index\.html$ welcome.html',
           'rewrite_cond'                => '%{HTTP_USER_AGENT} ^MSIE',
+          'rewrite_inherit'             => true,
           'setenv'                      => ['FOO=/bin/true'],
           'setenvif'                    => 'Request_URI "\.gif$" object_is_image=gif',
           'setenvifnocase'              => 'REMOTE_ADDR ^127.0.0.1 localhost=true',
@@ -453,6 +454,7 @@
       it { is_expected.to contain_class('apache::mod::fastcgi') }
       it { is_expected.to contain_class('apache::mod::headers') }
       it { is_expected.to contain_class('apache::mod::filter') }
+      it { is_expected.to contain_class('apache::mod::env') }
       it { is_expected.to contain_class('apache::mod::setenvif') }
       it { is_expected.to contain_concat('30-rspec.example.com.conf').with({
         'owner'   => 'root',
@@ -556,6 +558,8 @@
       it { is_expected.to contain_concat__fragment('rspec.example.com-rack') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-redirect') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite') }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-rewrite').with(
+        :content => /^\s+RewriteOptions Inherit$/ ) }
       it { is_expected.to contain_concat__fragment('rspec.example.com-scriptalias') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-setenv').with_content(

templates/vhost/_rewrite.erb

@@ -1,6 +1,9 @@
 <%- if @rewrites -%>
   ## Rewrite rules
   RewriteEngine On
+  <%- if @rewrite_inherit -%>
+  RewriteOptions Inherit
+  <%- end -%>
   <%- if @rewrite_base -%>
   RewriteBase <%= @rewrite_base %>
   <%- end -%>

templates/vhost/_ssl.erb

@@ -43,7 +43,7 @@
   <%- if @ssl_openssl_conf_cmd -%>
   SSLOpenSSLConfCmd       <%= @ssl_openssl_conf_cmd %>
   <%- end -%>
-  <%- if not @ssl_stapling.nil? && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+  <%- if (not @ssl_stapling.nil?) && (scope.function_versioncmp([@apache_version, '2.4']) >= 0) -%>
   SSLUseStapling <%= scope.function_bool2httpd([@ssl_stapling]) %>
   <%- end -%>
   <%- if @ssl_stapling_timeout && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>