Merge pull request puppetlabs#1580 from puppetlabs/release

Release 1.11.0 mergeback

Author: Helen

CHANGELOG.md

@@ -1,3 +1,73 @@
+## Supported Release 1.11.0
+#### Summary
+This release adds SLES12 Support and many more features and bugfixes.
+
+#### Features
+- (MODULES-4049) Adds SLES 12 Support
+- Adds additional directories options for LDAP Auth
+  - `auth_ldap_url`
+  - `auth_ldap_bind_dn`
+  - `auth_ldap_bind_password`
+  - `auth_ldap_group_attribute`
+  - `auth_ldap_group_attribute_is_dn`
+- Allows `mod_event` parameters to be unset
+- Allows management of default root directory access rights
+- Adds class `apache::vhosts` to create apache::vhost resources
+- Adds class `apache::mod::proxy_wstunnel`
+- Adds class `apache::mod::dumpio`
+- Adds class `apache::mod::socache_shmcb`
+- Adds class `apache::mod::authn_dbd`
+- Adds support for apache 2.4 on Amazon Linux
+- Support the newer `mod_auth_cas` config options
+- Adds `wsgi_script_aliases_match` parameter to `apache::vhost`
+- Allow to override all SecDefaultAction attributes
+- Add audit_log_relevant_status parameter to apache::mod::security
+- Allow absolute path to $apache::mod::security::activated_rules
+- Allow setting SecAuditLog
+- Adds `passenger_max_instances_per_app` to `mod::passenger`
+- Allow the proxy_via setting to be configured
+- Allow no_proxy_uris to be used within proxy_pass
+- Add rpaf.conf template parameter to `mod::rpaf`
+- Allow user to specify alternative package and library names for shibboleth module
+- Allows configuration of shibboleth lib path
+- Adds parameter `passenger_data_buffer_dir` to `mod::passenger`
+- Adds SSL stapling 
+- Allows use of `balance_manager` with `mod_proxy_balancer`
+- Raises lower bound of `stdlib` dependency to version 4.2
+- Adds support for Passenger repo on Amazon Linux
+- Add ability to set SSLStaplingReturnResponderErrors on server level 
+- (MODULES-4213) Allow global rewrite rules inheritance in vhosts
+- Moves `mod_env` to its own class and load it when required
+
+#### Bugfixes
+- Deny access to .ht and .hg, which are created by mercurial hg.
+- Instead of failing, include apache::mod::prefork in manifests/mod/itk.pp instead.
+- Only set SSLCompression when it is set to true.
+- Remove duplicate shib2 hash element
+- (MODULES-3388) Include mpm_module classes instead of class declaration
+- Updates `apache::balancer` to respect `apache::confd_dir`
+- Wrap mod_security directives in an IfModule
+- Fixes to various mods for Ubuntu Xenial
+- Fix /etc/modsecurity perms to match package
+- Fix PassengerRoot under Debian stretch
+- (MODULES-3476) Updates regex in apache_version custom fact to work with EL5
+- Dont sql_injection_attacks.data
+- Add force option to confd file resource to purge directory without warnings
+- Patch httpoxy through mod_security
+- Fixes config ordering of IncludeOptional
+- Fixes bug where port numbers were unquoted
+- Fixes bug where empty servername for vhost were written to template
+- Auto-load `slotmem_shm` and `lbmethod_byrequests` with `proxy_balancer` on 2.4
+- Simplify MPM setup on FreeBSD
+- Adds requirement for httpd package
+- Do not set ssl_certs_dir on FreeBSD
+- Fixes bug that produces a duplicate `Listen 443` after a package update on EL7
+- Fixes bug where custom facts break structured facts
+- Avoid relative classname inclusion
+- Fixes a failure in `vhost` if the first element of `$rewrites` is not a hash
+- (MODULES-3744) Process $crs_package before $modsec_dir
+- (MODULES-1491) Adds `::apache` include to mods that need it
+
 ## Supported Release 1.10.0
 #### Summary
 This release fixes backwards compatibility bugs introduced in 1.9.0. Also includes a new mod class and a new vhost feature.

README.md

@@ -1190,6 +1190,12 @@ Specifies whether or not to use [SSLUseStapling](http://httpd.apache.org/docs/cu
 
 This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
 
+##### `ssl_stapling_return_errors`
+
+Can be used to set the [SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive. No default. It is possible to override this on a vhost level.
+
+This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
+
 ##### `timeout`
 
 Sets Apache's [`TimeOut`][] directive, which defines the number of seconds Apache waits for certain events before failing a request. Default: 120.

manifests/mod/ssl.pp

@@ -1,18 +1,19 @@
 class apache::mod::ssl (
-  $ssl_compression         = false,
-  $ssl_cryptodevice        = 'builtin',
-  $ssl_options             = [ 'StdEnvVars' ],
-  $ssl_openssl_conf_cmd    = undef,
-  $ssl_cipher              = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
-  $ssl_honorcipherorder    = true,
-  $ssl_protocol            = [ 'all', '-SSLv2', '-SSLv3' ],
-  $ssl_pass_phrase_dialog  = 'builtin',
-  $ssl_random_seed_bytes   = '512',
-  $ssl_sessioncachetimeout = '300',
-  $ssl_stapling            = false,
-  $ssl_mutex               = undef,
-  $apache_version          = undef,
-  $package_name            = undef,
+  $ssl_compression            = false,
+  $ssl_cryptodevice           = 'builtin',
+  $ssl_options                = [ 'StdEnvVars' ],
+  $ssl_openssl_conf_cmd       = undef,
+  $ssl_cipher                 = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
+  $ssl_honorcipherorder       = true,
+  $ssl_protocol               = [ 'all', '-SSLv2', '-SSLv3' ],
+  $ssl_pass_phrase_dialog     = 'builtin',
+  $ssl_random_seed_bytes      = '512',
+  $ssl_sessioncachetimeout    = '300',
+  $ssl_stapling               = false,
+  $ssl_stapling_return_errors = undef,
+  $ssl_mutex                  = undef,
+  $apache_version             = undef,
+  $package_name               = undef,
 ) {
   include ::apache
   include ::apache::mod::mime
@@ -70,6 +71,10 @@
 
   validate_bool($ssl_stapling)
 
+  if $ssl_stapling_return_errors != undef {
+    validate_bool($ssl_stapling_return_errors)
+  }
+
   $stapling_cache = $::osfamily ? {
     'debian'  => "\${APACHE_RUN_DIR}/ocsp(32768)",
     'redhat'  => '/run/httpd/ssl_stapling(32768)',

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-apache",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "author": "puppetlabs",
   "summary": "Installs, configures, and manages Apache virtual hosts, web services, and modules.",
   "license": "Apache-2.0",
@@ -55,7 +55,8 @@
     {
       "operatingsystem": "SLES",
       "operatingsystemrelease": [
-        "11 SP1"
+        "11 SP1",
+        "12"
       ]
     },
     {

spec/classes/mod/ssl_spec.rb

@@ -188,6 +188,15 @@
         end
         it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLUseStapling On$/)}
       end
+      context 'setting ssl_stapling_return_errors to true' do
+        let :params do
+          {
+            :apache_version => '2.4',
+            :ssl_stapling_return_errors => true,
+          }
+        end
+        it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLStaplingReturnResponderErrors On$/)}
+      end
     end
 
     context 'setting ssl_pass_phrase_dialog' do

templates/mod/ssl.conf.erb

@@ -22,6 +22,9 @@
   SSLHonorCipherOrder <%= scope.function_bool2httpd([@_ssl_honorcipherorder]) %>
 <% if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%>
   SSLUseStapling <%= scope.function_bool2httpd([@ssl_stapling]) %>
+  <%- if not @ssl_stapling_return_errors.nil? -%>
+  SSLStaplingReturnResponderErrors <%= scope.function_bool2httpd([@ssl_stapling_return_errors]) %>
+  <%- end -%>
   SSLStaplingCache "shmcb:<%= @stapling_cache %>"
 <% end -%>
   SSLCipherSuite <%= @ssl_cipher %>

templates/vhost/_ssl.erb

@@ -49,7 +49,7 @@
   <%- if @ssl_stapling_timeout && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
   SSLStaplingResponderTimeout <%= @ssl_stapling_timeout %>
   <%- end -%>
-  <%- if @ssl_stapling_return_errors && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
-  SSLStaplingReturnResponderErrors <%= @ssl_stapling_return_errors %>
+  <%- if (not @ssl_stapling_return_errors.nil?) && (scope.function_versioncmp([@apache_version, '2.4']) >= 0) -%>
+  SSLStaplingReturnResponderErrors <%= scope.function_bool2httpd([@ssl_stapling_return_errors]) %>
   <%- end -%>
 <% end -%>