Skip to content
Module to set default options for the Apache web server. Uses puppetlabs-apache.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Table of Contents

  1. Description
  2. Setup
  3. Usage
  4. Reference
  5. Limitations
  6. Development


This module preconfigures the Apache HTTP Web Server using puppetlabs-apache so the server runs both HTTP and HTTPS, supports proxying and uses a secure set of SSL ciphers and protocols.


What hx_apache affects

  • This module uses the puppetlabs-apache-module, so it will automatically purge all (Apache) configuration files not managed by Puppet.

Beginning with hx_apache

The most simple configuration is:

class {'hx_apache': }


Default configuration

The module itself will automatically set the following parameters:

  • Enable both HTTP (port 80) and HTTPS (port 443).
  • Enable the proxy modules mod_proxy, mod_proxy_http (HTTP) and mod_proxy_connect (HTTPS).
  • Deny access to any .git directory in the _DocumentRoot_s of all configured websites.


By changing the parameters to hx_apache, you can influence the following settings:

  • ssl_cipher: provide a list of ciphers the server will support. The server will chose one from the list starting at the leftmost cipher. Separate ciphers with a colon (:).

  • ssl_protocol: provide an array of supported protocols. Uses the same syntax as the Apache configuration file (e.g. -SSLv2 is supported).

  • default_mods: list of modules that will be loaded by default. See the puppetlabs-apache documentation for the correct syntax.


Class hx_apache

The base class.


  • ssl_cipher: string of supported SSL ciphers. Uses the same syntax as the Apache configuration file. Default value is ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256.

  • ssl_protocol: array of supported SSL protocols. Uses the same syntax as the Apache configuration file. Default value is ['all', '-SSLv2', '-SSLv3' '-TLSv1', '-TLSv1.1'].

  • default_mods: array of modules that are loaded by default. Uses puppetlabs-apache syntax. By default set to ['auth_basic', 'setenvif', 'headers', 'env', 'authz_user', 'alias', 'autoindex', 'mime', 'rewrite', 'authn_file', 'negotiation', 'access_compat', 'deflate', 'authn_core', 'dir'].

  • server_admin: configure the ServerAdmin setting. Set to hostname@domain by default (e.g.


This module was tested on Ubuntu 14.04, but should work with all Ubuntu versions. Only works for Apache >= 2.4. RedHat-based systems are also supported.


Pull requests welcome at

You can’t perform that action at this time.