diff --git a/apache2/README.md b/apache2/README.md new file mode 100644 index 000000000..e4325c383 --- /dev/null +++ b/apache2/README.md @@ -0,0 +1,349 @@ +Description +=========== + +This cookbook provides a complete Debian/Ubuntu style Apache HTTPD configuration. Non-Debian based distributions such as Red Hat/CentOS, ArchLinux and others supported by this cookbook will have a configuration that mimics Debian/Ubuntu style as it is easier to manage with Chef. + +Debian-style Apache configuration uses scripts to manage modules and sites (vhosts). The scripts are: + +* a2ensite +* a2dissite +* a2enmod +* a2dismod + +This cookbook ships with templates of these scripts for non Debian/Ubuntu platforms. The scripts are used in the __Definitions__ below. + +Requirements +============ + +## Cookbooks: + +This cookbook doesn't have direct dependencies on other cookbooks. Depending on your OS configuration and security policy, you may need additional recipes or cookbooks for this cookbook's recipes to converge on the node. In particular, the following Operating System nuances may affect the behavior: + +* apt cache outdated +* SELinux enabled +* IPtables +* Compile tools + +On Ubuntu/Debian, use Opscode's `apt` cookbook to ensure the package cache is updated so Chef can install packages, or consider putting apt-get in your bootstrap process or [knife bootstrap template](http://wiki.opscode.com/display/chef/Knife+Bootstrap). + +On RHEL, SELinux is enabled by default. The `selinux` cookbook contains a `permissive` recipe that can be used to set SELinux to "Permissive" state. + +The easiest but certainly not ideal way to deal with IPtables is of course to flush all rules. Opscode does provide an `iptables` cookbook but is migrating from the approach used there to a more robust solution utilizing a general "firewall" LWRP that would have an "iptables" provider. Alternately, you can use ufw, with Opscode's `ufw` and `firewall` cookbooks to set up rules. See those cookbooks' READMEs for documentation. + +Build/compile tools may not be installed on the system by default. Some recipes (e.g., `apache2::mode_auth_openid`) build the module from source. Use Opscode's `build-essential` cookbook to get essential build packages installed. + +## Platforms: + +* Debian +* Ubuntu +* Red Hat/CentOS/Scientific Linux/Fedora (RHEL Family) +* SUSE/OpenSUSE +* ArchLinux + +### Notes for RHEL Family: + +On Red Hat Enterprise Linux and derivatives, the EPEL repository may be necessary to install packages used in certain recipes. The `apache2::default` recipe, however, does not require any additional repositories. Opscode's `yum` cookbook contains a recipe to add the EPEL repository. See __Examples__ for more information. + +Attributes +========== + +This cookbook uses many attributes, broken up into a few different kinds. + +Platform specific +----------------- + +In order to support the broadest number of platforms, several attributes are determined based on the node's platform. See the attributes/default.rb file for default values in the case statement at the top of the file. + +* `node['apache']['dir']` - Location for the Apache configuration +* `node['apache']['log_dir']` - Location for Apache logs +* `node['apache']['user']` - User Apache runs as +* `node['apache']['group']` - Group Apache runs as +* `node['apache']['binary']` - Apache httpd server daemon +* `node['apache']['icondir']` - Location for icons +* `node['apache']['cache_dir']` - Location for cached files used by Apache itself or recipes +* `node['apache']['pid_file']` - Location of the PID file for Apache httpd +* `node['apache']['lib_dir']` - Location for shared libraries + +General settings +---------------- + +These are general settings used in recipes and templates. Default values are noted. + +* `node['apache']['listen_ports']` - Ports that httpd should listen on. Default is an array of ports 80 and 443. +* `node['apache']['contact']` - Value for ServerAdmin directive. Default "ops@example.com". +* `node['apache']['timeout']` - Value for the Timeout directive. Default is 300. +* `node['apache']['keepalive']` - Value for the KeepAlive directive. Default is On. +* `node['apache']['keepaliverequests']` - Value for MaxKeepAliveRequests. Default is 100. +* `node['apache']['keepalivetimeout']` - Value for the KeepAliveTimeout directive. Default is 5. + +Prefork attributes +------------------ + +Prefork attributes are used for tuning the Apache HTTPD prefork MPM configuration. + +* `node['apache']['prefork']['startservers']` - initial number of server processes to start. Default is 16. +* `node['apache']['prefork']['minspareservers']` - minimum number of spare server processes. Default 16. +* `node['apache']['prefork']['maxspareservers']` - maximum number of spare server processes. Default 32. +* `node['apache']['prefork']['serverlimit']` - upper limit on configurable server processes. Default 400. +* `node['apache']['prefork']['maxclients']` - Maximum number of simultaneous connections. +* `node['apache']['prefork']['maxrequestsperchild']` - Maximum number of request a child process will handle. Default 10000. + +Worker attributes +----------------- + +Worker attributes are used for tuning the Apache HTTPD worker MPM configuration. + +* `node['apache']['worker']['startservers']` - Initial number of server processes to start. Default 4 +* `node['apache']['worker']['maxclients']` - Maximum number of simultaneous connections. Default 1024. +* `node['apache']['worker']['minsparethreads]` - Minimum number of spare worker threads. Default 64 +* `node['apache']['worker']['maxsparethreads]` - Maximum number of spare worker threads. Default 192. +* `node['apache']['worker']['maxrequestsperchild']` - Maximum number of requests a child process will handle. + +Recipes +======= + +Most of the recipes in the cookbook are for enabling Apache modules. Where additional configuration or behavior is used, it is documented below in more detail. + +The following recipes merely enable the specified module: `mod_alias`, `mod_basic`, `mod_digest`, `mod_authn_file`, `mod_authnz_ldap`, `mod_authz_default`, `mod_authz_groupfile`, `mod_authz_host`, `mod_authz_user`, `mod_autoindex`, `mod_cgi`, `mod_dav_fs`, `mod_dav_svn`, `mod_deflate`, `mod_dir`, `mod_env`, `mod_expires`, `mod_headers`, `mod_ldap`, `mod_log_config`, `mod_mime`, `mod_negotiation`, `mod_proxy`, `mod_proxy_ajp`, `mod_proxy_balancer`, `mod_proxy_connect`, `mod_proxy_http`, `mod_python`, `mod_rewrite`, `mod_setenvif`, `mod_status`, `mod_wsgi`, `mod_xsendfile`. + +On RHEL Family distributions, certain modules ship with a config file with the package. The recipes here may delete those configuration files to ensure they don't conflict with the settings from the cookbook, which will use per-module configuration in `/etc/httpd/mods-enabled`. + +default +------- + +The default recipe does a number of things to set up Apache HTTPd. + +mod\_auth\_openid +----------------- + +This recipe compiles the module from source. In addition to `build-essential`, some other packages are included for installation like the GNU C++ compiler and development headers. + +To use the module in your own cookbooks to authenticate systems using OpenIDs, specify an array of OpenIDs that are allowed to authenticate with the attribute `node['apache']['allowed_openids']`. Use the following in a vhost to protect with OpenID authentication: + + AuthOpenIDEnabled On + AuthOpenIDDBLocation /var/cache/apache2/mod_auth_openid.db + AuthOpenIDUserProgram /usr/local/bin/mod_auth_openid.rb + +Change the DBLocation as appropriate for your platform. You'll need to change the file in the recipe to match. The UserProgram is optional if you don't want to limit access by certain OpenIDs. + +mod\_fcgid +---------- + +Installs the fcgi package and enables the module. Requires EPEL on RHEL family. + +On RHEL family, this recipe will delete the fcgid.conf and on version 6+, create the /var/run/httpd/mod_fcgid` directory, which prevents the emergency error: + + [emerg] (2)No such file or directory: mod_fcgid: Can't create shared memory for size XX bytes + +mod\_php5 +-------- + +Simply installs the appropriate package on Debian, Ubuntu and ArchLinux. + +On Red Hat family distributions including Fedora, the php.conf that comes with the package is removed. On RHEL platforms less than v6, the `php53` package is used. + +mod\_ssl +-------- + +Besides installing and enabling `mod_ssl`, this recipe will append port 443 to the `node['apache']['listen_ports']` attribute array and update the ports.conf. + +god\_monitor +------------ + +Sets up a `god` monitor for Apache. External requirements are the `god` and `runit` cookbooks from Opscode. + +Definitions +=========== + +The cookbook provides a few definitions. At some point in the future these definitions may be refactored into lightweight resources and providers. + +apache\_conf +------------ + +Sets up configuration file for an Apache module from a template. The template should be in the same cookbook where the definition is used. This is used by the `apache_module` definition and is not often used directly. + +This will use a template resource to write the module's configuration file in the `mods-available` under the Apache configuration directory (`node['apache']['dir']`). This is a platform-dependent location. See __apache\_module__. + +### Parameters: + +* `name` - Name of the template. When used from the `apache_module`, it will use the same name as the module. + +### Examples: + +Create `#{node['apache']['dir']}/mods-available/alias.conf`. + + apache_conf "alias" + +apache\_module +-------------- + +Enable or disable an Apache module in `#{node['apache']['dir']}/mods-available` by calling `a2enmod` or `a2dismod` to manage the symbolic link in `#{node['apache']['dir']}/mods-enabled`. If the module has a configuration file, a template should be created in the cookbook where the definition is used. See __Examples__. + +### Parameters: + +* `name` - Name of the module enabled or disabled with the `a2enmod` or `a2dismod` scripts. +* `enable` - Default true, which uses `a2enmod` to enable the module. If false, the module will be disabled with `a2dismod`. +* `conf` - Default false. Set to true if the module has a config file, which will use `apache_conf` for the file. +* `filename` - specify the full name of the file, e.g. + +### Examples: + +Enable the ssl module, which also has a configuration template in `templates/default/ssl.conf.erb`. + + apache_module "ssl" do + conf true + end + +Enable the php5 module, which has a different filename than the module default: + + apache_module "php5" do + filename "libphp5.so" + end + +Disable a module: + + apache_module "disabled_module" do + enable false + end + +See the recipes directory for many more examples of `apache_module`. + +apache\_site +------------ + +Enable or disable a VirtualHost in `#{node['apache']['dir']}/sites-available` by calling a2ensite or a2dissite to manage the symbolic link in `#{node['apache']['dir']}/sites-enabled`. + +The template for the site must be managed as a separate resource. To combine the template with enabling a site, see `web_app`. + +### Parameters: + +* `name` - Name of the site. +* `enable` - Default true, which uses `a2ensite` to enable the site. If false, the site will be disabled with `a2dissite`. + +web\_app +-------- + +Manage a template resource for a VirtualHost site, and enable it with `apache_site`. This is commonly done for managing web applications such as Ruby on Rails, PHP or Django, and the default behavior reflects that. However it is flexible. + +This definition includes some recipes to make sure the system is configured to have Apache and some sane default modules: + +* `apache2` +* `apache2::mod_rewrite` +* `apache2::mod_deflate` +* `apache2::mod_headers` + +It will then configure the template (see __Parameters__ and __Examples__ below), and enable or disable the site per the `enable` parameter. + +### Parameters: + +Current parameters used by the definition: + +* `name` - The name of the site. The template will be written to `#{node['apache']['dir']}/sites-available/#{params[:name]}.conf` +* `cookbook` - Optional. Cookbook where the source template is. If this is not defined, Chef will use the named template in the cookbook where the definition is used. +* `template` - Default `web_app.conf.erb`, source template file. +* `enable` - Default true. Passed to the `apache_site` definition. + +Additional parameters can be defined when the definition is called in a recipe, see __Examples__. + +### Examples: + +All parameters are passed into the template. You can use whatever you like. The apache2 cookbook comes with a `web_app.conf.erb` template as an example. The following parameters are used in the template: + +* `server_name` - ServerName directive. +* `server_aliases` - ServerAlias directive. Must be an array of aliases. +* `docroot` - DocumentRoot directive. +* `application_name` - Used in RewriteLog directive. Will be set to the `name` parameter. + +To use the default web_app, for example: + + web_app "my_site" do + server_name node['hostname'] + server_aliases [node['fqdn'], "my-site.example.com"] + docroot "/srv/www/my_site" + end + +The parameters specified will be used as: + +* `@params[:server_name]` +* `@params[:server_aliases]` +* `@params[:docroot]` + +In the template. When you write your own, the `@` is significant. + +For more information about Definitions and parameters, see the [Chef Wiki](http://wiki.opscode.com/display/chef/Definitions) + +Usage +===== + +Using this cookbook is relatively straightforward. Add the desired recipes to the run list of a node, or create a role. Depending on your environment, you may have multiple roles that use different recipes from this cookbook. Adjust any attributes as desired. For example, to create a basic role for web servers that provide both HTTP and HTTPS: + + % cat roles/webserver.rb + name "webserver" + description "Systems that serve HTTP and HTTPS" + run_list( + "recipe[apache2]", + "recipe[apache2::mod_ssl]" + ) + default_attributes( + "apache2" => { + "listen_ports" => ["80", "443"] + } + ) + +For examples of using the definitions in your own recipes, see their respective sections above. + +Changes +======= + +## v1.0.0 + +* Red Hat family support is greatly improved, all recipes except `god_monitor` converge. +* Recipe `mod_auth_openid` now works on RHEL family distros +* Recipe `mod_php5` will now remove config from package on RHEL family so it doesn't conflict with the cookbook's. +* Added `php5.conf.erb` template for `mod_php5` recipe. +* Create the run state directory for `mod_fcgid` to prevent a startup error on RHEL version 6. +* New attribute `node['apache']['lib_dir']` to handle lib vs lib64 on RHEL family distributions. +* New attribute `node['apache']['group']`. +* Scientific Linux support added. +* Use a file resource instead of the generate-module-list executed perl script on RHEL family. +* "default" site can now be disabled. +* web_app now has an "enable" parameter. +* Support for dav_fs apache module. +* Tickets resolved in this release: COOK-754, COOK-753, COOK-665, COOK-624, COOK-579, COOK-519, COOK-518 +* Fix node references in template for a2dissite +* Use proper user and group attributes on files and templates. +* Replace the anemic README.rdoc with this new and improved superpowered README.md :). + +License and Authors +=================== + +Author:: Adam Jacob +Author:: Joshua Timberman +Author:: Bryan McLellan +Author:: Dave Esposito +Author:: David Abdemoulaie +Author:: Edmund Haselwanter +Author:: Eric Rochester +Author:: Jim Browne +Author:: Matthew Kent +Author:: Nathen Harvey +Author:: Ringo De Smet +Author:: Sean OMeara +Author:: Seth Chisamore +Author:: Gilles Devaux + +Copyright:: 2009-2011, Opscode, Inc +Copyright:: 2011, Atriso +Copyright:: 2011, CustomInk, LLC. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/apache2/README.rdoc b/apache2/README.rdoc deleted file mode 100644 index e5e2c5440..000000000 --- a/apache2/README.rdoc +++ /dev/null @@ -1,78 +0,0 @@ -= DESCRIPTION: - -Complete Debian/Ubuntu style Apache2 configuration. - -= REQUIREMENTS: - -Debian or Ubuntu preferred. - -Red Hat, CentOS, Fedora and ArchLinux can be used but will be converted to a Debian/Ubuntu style Apache as it's far easier to manage with Chef. - -= ATTRIBUTES: - -The file attributes/apache.rb contains the following attribute types: - -* platform specific locations and settings. -* general settings -* prefork attributes -* worker attributes - -General settings and prefork/worker attributes are tunable. - -= USAGE: - -Include the apache2 recipe to install Apache2 and get 'sane' default settings. Configuration is modularized through Apache vhost sites a la Debian style configuration. - -For Red Hat, CentOS and Fedora you should first disable selinux as it's not supported (yet), then remove the stock httpd and all it's dependencies prior to attempting to use this recipe. Many packages in these distributions drop conflicting configs into conf.d, all of which haven't been accounted for yet. Starting from scratch will also make it far easier to debug. - -== Defines: - -* +apache_module+: sets up an Apache module. -* +apache_conf+: sets up a config file for an apache module. -* +apache_site+: sets up a vhost site. The conf file must be available. -* +web_app+: copies the template for a web app and enables it as a site via +apache_site+. - -== Web Apps: - -Various applications that can be set up with Apache as the front end, such as PHP, Django, Rails and others can use the web_app define to set up the template and the Apache site. The define is kind of dumb, so the template needs have the application implementation settings, since we don't know what your app is or what is needed from Apache. - -We only prototype one parameter for the +web_app+ define, "template". This is used to specify the name of the template to use in the current cookbook. When you use +web_app+, you can set up any parameters you want to use in your template. They will get passed to the template through the params hash. For example, the sample +web_app.conf.erb+ template in this cookbook makes use of these. - -* +docroot+ -* +server_name+ -* +server_aliases+ - -These are available as +params[:docroot]+, +params[:server_name]+, +params[:server_aliases]+ prefixed with an @ within the template. - -If 'cookbook' and 'template' are not specified, the current cookbook's +templates/default/web_app.conf.erb+ will be used. If this template is not suitable for your application, copy it to your cookbook and customize as needed. - -== God Monitor: - -There's a new recipe, +apache2::god_monitor+. You will need to make sure to include the 'god' recipe before using the +apache2::god_monitor+ recipe in your cookbook. - -== OpenID Auth - -Installs the +mod_auth_openid+ module from source. Specify an array of OpenIDs that are allowed to authenticate with the attribute +apache[:allowed_openids]+. Use the following in a vhost to protect with OpenID authentication: - - AuthOpenIDEnabled On - AuthOpenIDDBLocation /var/cache/apache2/mod_auth_openid.db - AuthOpenIDUserProgram /usr/local/bin/mod_auth_openid.rb - -Change the DBLocation as appropriate for your platform. You'll need to change the file in the recipe to match. The UserProgram is optional if you don't want to limit access by certain OpenIDs. - -= LICENSE & AUTHOR: - -Author:: Joshua Timberman () -Copyright:: 2009, Opscode, Inc - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/apache2/attributes/default.rb b/apache2/attributes/default.rb index ba6c48cb2..7d9aa6eed 100644 --- a/apache2/attributes/default.rb +++ b/apache2/attributes/default.rb @@ -19,34 +19,50 @@ # Where the various parts of apache are case platform -when "redhat","centos","fedora","suse" +when "redhat","centos","scientific","fedora","suse" set[:apache][:dir] = "/etc/httpd" set[:apache][:log_dir] = "/var/log/httpd" set[:apache][:user] = "apache" + set[:apache][:group] = "apache" set[:apache][:binary] = "/usr/sbin/httpd" set[:apache][:icondir] = "/var/www/icons/" set[:apache][:cache_dir] = "/var/cache/httpd" + if node.platform_version.to_f >= 6 then + set[:apache][:pid_file] = "/var/run/httpd/httpd.pid" + else + set[:apache][:pid_file] = "/var/run/httpd.pid" + end + set[:apache][:lib_dir] = node[:kernel][:machine] == "i386" ? "/usr/lib/httpd" : "/usr/lib64/httpd" when "debian","ubuntu" set[:apache][:dir] = "/etc/apache2" set[:apache][:log_dir] = "/var/log/apache2" set[:apache][:user] = "www-data" + set[:apache][:group] = "www-data" set[:apache][:binary] = "/usr/sbin/apache2" set[:apache][:icondir] = "/usr/share/apache2/icons" set[:apache][:cache_dir] = "/var/cache/apache2" + set[:apache][:pid_file] = "/var/run/apache2.pid" + set[:apache][:lib_dir] = "/usr/lib/apache2" when "arch" set[:apache][:dir] = "/etc/httpd" set[:apache][:log_dir] = "/var/log/httpd" set[:apache][:user] = "http" + set[:apache][:group] = "http" set[:apache][:binary] = "/usr/sbin/httpd" set[:apache][:icondir] = "/usr/share/httpd/icons" set[:apache][:cache_dir] = "/var/cache/httpd" + set[:apache][:pid_file] = "/var/run/httpd/httpd.pid" + set[:apache][:lib_dir] = "/usr/lib/httpd" else set[:apache][:dir] = "/etc/apache2" set[:apache][:log_dir] = "/var/log/apache2" set[:apache][:user] = "www-data" + set[:apache][:group] = "www-data" set[:apache][:binary] = "/usr/sbin/apache2" set[:apache][:icondir] = "/usr/share/apache2/icons" set[:apache][:cache_dir] = "/var/cache/apache2" + set[:apache][:pid_file] = "logs/httpd.pid" + set[:apache][:lib_dir] = "/usr/lib/apache2" end ### diff --git a/apache2/definitions/apache_module.rb b/apache2/definitions/apache_module.rb index ff4879167..3078483c3 100644 --- a/apache2/definitions/apache_module.rb +++ b/apache2/definitions/apache_module.rb @@ -19,11 +19,20 @@ define :apache_module, :enable => true, :conf => false do include_recipe "apache2" - + + params[:filename] = params[:filename] || "mod_#{params[:name]}.so" + if params[:conf] apache_conf params[:name] end - + + if platform?("redhat", "centos", "scientific", "fedora", "arch", "suse" ) + file "#{node['apache']['dir']}/mods-available/#{params[:name]}.load" do + content "LoadModule #{params[:name]}_module #{node['apache']['lib_dir']}/modules/#{params[:filename]}\n" + mode 0644 + end + end + if params[:enable] execute "a2enmod #{params[:name]}" do command "/usr/sbin/a2enmod #{params[:name]}" @@ -32,7 +41,7 @@ ((File.exists?("#{node[:apache][:dir]}/mods-available/#{params[:name]}.conf"))? (File.symlink?("#{node[:apache][:dir]}/mods-enabled/#{params[:name]}.conf")):(true))) end - end + end else execute "a2dismod #{params[:name]}" do command "/usr/sbin/a2dismod #{params[:name]}" diff --git a/apache2/definitions/apache_site.rb b/apache2/definitions/apache_site.rb index a4bc774be..8e690e151 100644 --- a/apache2/definitions/apache_site.rb +++ b/apache2/definitions/apache_site.rb @@ -19,12 +19,12 @@ define :apache_site, :enable => true do include_recipe "apache2" - + if params[:enable] execute "a2ensite #{params[:name]}" do command "/usr/sbin/a2ensite #{params[:name]}" notifies :restart, resources(:service => "apache2") - not_if do + not_if do ::File.symlink?("#{node[:apache][:dir]}/sites-enabled/#{params[:name]}") or ::File.symlink?("#{node[:apache][:dir]}/sites-enabled/000-#{params[:name]}") end @@ -34,7 +34,10 @@ execute "a2dissite #{params[:name]}" do command "/usr/sbin/a2dissite #{params[:name]}" notifies :restart, resources(:service => "apache2") - only_if do ::File.symlink?("#{node[:apache][:dir]}/sites-enabled/#{params[:name]}") end + only_if do + ::File.symlink?("#{node[:apache][:dir]}/sites-enabled/#{params[:name]}") or + ::File.symlink?("#{node[:apache][:dir]}/sites-enabled/000-#{params[:name]}") + end end end end diff --git a/apache2/definitions/web_app.rb b/apache2/definitions/web_app.rb index 48342d048..aa78ef5fd 100644 --- a/apache2/definitions/web_app.rb +++ b/apache2/definitions/web_app.rb @@ -17,7 +17,7 @@ # limitations under the License. # -define :web_app, :template => "web_app.conf.erb" do +define :web_app, :template => "web_app.conf.erb", :enable => true do application_name = params[:name] @@ -44,6 +44,6 @@ end apache_site "#{params[:name]}.conf" do - enable enable_setting + enable params[:enable] end end diff --git a/apache2/metadata.rb b/apache2/metadata.rb index 27839ba50..4472f950c 100644 --- a/apache2/metadata.rb +++ b/apache2/metadata.rb @@ -2,7 +2,7 @@ maintainer_email "cookbooks@opscode.com" license "Apache 2.0" description "Installs and configures all aspects of apache2 using Debian style symlinks with helper definitions" -long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version "0.99.4" recipe "apache2", "Main Apache configuration" recipe "apache2::mod_alias", "Apache module 'alias' with config file" diff --git a/apache2/recipes/default.rb b/apache2/recipes/default.rb index d874eb7d2..2aee09464 100644 --- a/apache2/recipes/default.rb +++ b/apache2/recipes/default.rb @@ -19,7 +19,7 @@ package "apache2" do case node[:platform] - when "centos","redhat","fedora","suse" + when "redhat","centos","scientific","fedora","suse" package_name "httpd" when "debian","ubuntu" package_name "apache2" @@ -31,7 +31,7 @@ service "apache2" do case node[:platform] - when "centos","redhat","fedora","suse" + when "redhat","centos","scientific","fedora","suse" service_name "httpd" # If restarted/reloaded too quickly httpd has a habit of failing. # This may happen with multiple recipes notifying apache to restart - like @@ -48,103 +48,106 @@ supports value_for_platform( "debian" => { "4.0" => [ :restart, :reload ], "default" => [ :restart, :reload, :status ] }, "ubuntu" => { "default" => [ :restart, :reload, :status ] }, - "centos" => { "default" => [ :restart, :reload, :status ] }, "redhat" => { "default" => [ :restart, :reload, :status ] }, + "centos" => { "default" => [ :restart, :reload, :status ] }, + "scientific" => { "default" => [ :restart, :reload, :status ] }, "fedora" => { "default" => [ :restart, :reload, :status ] }, "arch" => { "default" => [ :restart, :reload, :status ] }, + "suse" => { "default" => [ :restart, :reload, :status ] }, "default" => { "default" => [:restart, :reload ] } ) action :enable end -if platform?("centos", "redhat", "fedora", "suse", "arch") +if platform?("redhat", "centos", "scientific", "fedora", "arch", "suse" ) directory node[:apache][:log_dir] do mode 0755 action :create end - + + package "perl" + cookbook_file "/usr/local/bin/apache2_module_conf_generate.pl" do source "apache2_module_conf_generate.pl" mode 0755 - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] end %w{sites-available sites-enabled mods-available mods-enabled}.each do |dir| directory "#{node[:apache][:dir]}/#{dir}" do mode 0755 - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] action :create end end - + execute "generate-module-list" do - if node[:kernel][:machine] == "x86_64" + if node[:kernel][:machine] == "x86_64" libdir = value_for_platform("arch" => { "default" => "lib" }, "default" => "lib64") - else + else libdir = "lib" end command "/usr/local/bin/apache2_module_conf_generate.pl /usr/#{libdir}/httpd/modules /etc/httpd/mods-available" action :run end - + %w{a2ensite a2dissite a2enmod a2dismod}.each do |modscript| template "/usr/sbin/#{modscript}" do source "#{modscript}.erb" mode 0755 - owner "root" - group "root" - end + owner node[:apache][:user] + group node[:apache][:group] + end end # installed by default on centos/rhel, remove in favour of mods-enabled - file "#{node[:apache][:dir]}/conf.d/proxy_ajp.conf" do - action :delete - backup false + %w{ proxy_ajp auth_pam authz_ldap webalizer ssl welcome }.each do |f| + file "#{node[:apache][:dir]}/conf.d/#{f}.conf" do + action :delete + backup false + end end + + # installed by default on centos/rhel, remove in favour of mods-enabled file "#{node[:apache][:dir]}/conf.d/README" do action :delete backup false end - - # welcome page moved to the default-site.rb temlate - file "#{node[:apache][:dir]}/conf.d/welcome.conf" do - action :delete - backup false - end end directory "#{node[:apache][:dir]}/ssl" do action :create mode 0755 - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] end directory "#{node[:apache][:dir]}/conf.d" do action :create mode 0755 - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] end directory node[:apache][:cache_dir] do action :create mode 0755 owner node[:apache][:user] + group node[:apache][:group] end template "apache2.conf" do case node[:platform] - when "centos","redhat","fedora","arch" + when "redhat", "centos", "scientific", "fedora", "arch" path "#{node[:apache][:dir]}/conf/httpd.conf" when "debian","ubuntu" path "#{node[:apache][:dir]}/apache2.conf" end source "apache2.conf.erb" - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] mode 0644 notifies :restart, resources(:service => "apache2") end @@ -152,8 +155,8 @@ template "security" do path "#{node[:apache][:dir]}/conf.d/security" source "security.erb" - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] mode 0644 backup false notifies :restart, resources(:service => "apache2") @@ -162,8 +165,8 @@ template "charset" do path "#{node[:apache][:dir]}/conf.d/charset" source "charset.erb" - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] mode 0644 backup false notifies :restart, resources(:service => "apache2") @@ -171,8 +174,8 @@ template "#{node[:apache][:dir]}/ports.conf" do source "ports.conf.erb" - group "root" - owner "root" + owner node[:apache][:user] + group node[:apache][:group] variables :apache_listen_ports => node[:apache][:listen_ports] mode 0644 notifies :restart, resources(:service => "apache2") @@ -180,8 +183,8 @@ template "#{node[:apache][:dir]}/sites-available/default" do source "default-site.erb" - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] mode 0644 notifies :restart, resources(:service => "apache2") end @@ -200,9 +203,9 @@ include_recipe "apache2::mod_mime" include_recipe "apache2::mod_negotiation" include_recipe "apache2::mod_setenvif" -include_recipe "apache2::mod_log_config" if platform?("centos", "redhat", "fedora", "suse", "arch") +include_recipe "apache2::mod_log_config" if platform?("redhat", "centos", "scientific", "fedora", "suse", "arch") -apache_site "default" if platform?("centos", "redhat", "fedora") +apache_site "default" if platform?("redhat", "centos", "scientific", "fedora") service "apache2" do action :start diff --git a/apache2/recipes/mod_auth_openid.rb b/apache2/recipes/mod_auth_openid.rb index cc33eb887..f0538466f 100644 --- a/apache2/recipes/mod_auth_openid.rb +++ b/apache2/recipes/mod_auth_openid.rb @@ -18,8 +18,10 @@ # openid_dev_pkgs = value_for_platform( - "ubuntu" => { "default" => %w{ apache2-prefork-dev libopkele-dev libopkele3 } }, - "debian" => { "default" => %w{ apache2-prefork-dev libopkele-dev libopkele3 } }, + ["ubuntu","debian"] => { "default" => %w{ g++ apache2-prefork-dev libopkele-dev libopkele3 } }, + ["centos","redhat","scientific","fedora"] => { + "default" => %w{ gcc-c++ httpd-devel curl-devel libtidy libtidy-devel sqlite-devel pcre-devel openssl-devel make } + }, "arch" => { "default" => ["libopkele"] } ) @@ -40,6 +42,26 @@ end end +case node[:platform] +when "redhat", "centos", "scientific", "fedora" + remote_file "#{Chef::Config[:file_cache_path]}/libopkele-2.0.4.tar.gz" do + source "http://kin.klever.net/dist/libopkele-2.0.4.tar.gz" + mode 0644 + end + + bash "install libopkele" do + cwd "#{Chef::Config[:file_cache_path]}" + # Ruby 1.8.6 does not have rpartition, unfortunately + syslibdir = node[:apache][:lib_dir][0..node[:apache][:lib_dir].rindex("/")] + code <<-EOH + tar zxvf libopkele-2.0.4.tar.gz + cd libopkele-2.0.4 && ./configure --prefix=/usr --libdir=#{syslibdir} + make && make install + EOH + not_if { File.exists?("#{syslibdir}/libopkele.a") } + end +end + remote_file "#{Chef::Config[:file_cache_path]}/mod_auth_openid-0.4.tar.gz" do source "http://butterfat.net/releases/mod_auth_openid/mod_auth_openid-0.4.tar.gz" mode 0644 @@ -53,12 +75,7 @@ perl -pi -e "s/-i -a -n 'authopenid'/-i -n 'authopenid'/g" Makefile make && make install EOH - case node[:platform] - when "arch" - not_if { ::File.exists?("/usr/lib/httpd/modules/mod_auth_openid.so") } - else - not_if { ::File.exists?("/usr/lib/apache2/modules/mod_auth_openid.so") } - end + not_if { ::File.exists?("#{node[:apache][:lib_dir]}/modules/mod_auth_openid.so") } end file "#{node[:apache][:cache_dir]}/mod_auth_openid.db" do @@ -68,12 +85,14 @@ template "#{node[:apache][:dir]}/mods-available/authopenid.load" do source "mods/authopenid.load.erb" - owner "root" - group "root" + owner node[:apache][:user] + group node[:apache][:group] mode 0644 end -apache_module "authopenid" +apache_module "authopenid" do + filename "mod_auth_openid.so" +end template "/usr/local/bin/mod_auth_openid.rb" do source "mod_auth_openid.rb.erb" diff --git a/apache2/recipes/mod_dav_fs.rb b/apache2/recipes/mod_dav_fs.rb new file mode 100644 index 000000000..6d0ef1d73 --- /dev/null +++ b/apache2/recipes/mod_dav_fs.rb @@ -0,0 +1,20 @@ +# +# Cookbook Name:: apache2 +# Recipe:: dav_fs +# +# Copyright 2011, Atriso +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +apache_module "dav_fs" \ No newline at end of file diff --git a/apache2/recipes/mod_dav_svn.rb b/apache2/recipes/mod_dav_svn.rb index ce50d549d..ebf89b6c3 100644 --- a/apache2/recipes/mod_dav_svn.rb +++ b/apache2/recipes/mod_dav_svn.rb @@ -17,6 +17,13 @@ # limitations under the License. # -package "libapache2-svn" +package "libapache2-svn" do + case node['platform'] + when "centos","redhat","scientific","fedora","suse" + package_name "mod_dav_svn" + else + package_name "libapache2-svn" + end +end apache_module "dav_svn" diff --git a/apache2/recipes/mod_fcgid.rb b/apache2/recipes/mod_fcgid.rb index 8d079f302..5aac93c33 100644 --- a/apache2/recipes/mod_fcgid.rb +++ b/apache2/recipes/mod_fcgid.rb @@ -1,6 +1,6 @@ # # Cookbook Name:: apache2 -# Recipe:: fcgid +# Recipe:: fcgid # # Copyright 2008-2009, Opscode, Inc. # @@ -19,18 +19,26 @@ if platform?("debian", "ubuntu") package "libapache2-mod-fcgid" -elsif platform?("centos", "redhat", "fedora", "arch") +elsif platform?("redhat", "centos", "scientific", "fedora", "arch") package "mod_fcgid" do notifies :run, resources(:execute => "generate-module-list"), :immediately end file "#{node[:apache][:dir]}/conf.d/fcgid.conf" do action :delete - backup false + backup false + end + + if node['platform_version'].to_i >= 6 + directory "/var/run/httpd/mod_fcgid" do + recursive true + end end elsif platform?("suse") - apache_lib_path = node[:architecture] == "i386" ? "/usr/lib/httpd" : "/usr/lib64/httpd" + apache_lib_path = node[:apache][:lib_dir] + package "httpd-devel" + bash "install-fcgid" do code <<-EOH (cd #{Chef::Config[:file_cache_path]}; wget http://superb-east.dl.sourceforge.net/sourceforge/mod-fcgid/mod_fcgid.2.2.tgz) diff --git a/apache2/recipes/mod_log_config.rb b/apache2/recipes/mod_log_config.rb index 1a77336d3..07ceb9eb9 100644 --- a/apache2/recipes/mod_log_config.rb +++ b/apache2/recipes/mod_log_config.rb @@ -17,7 +17,7 @@ # limitations under the License. # -if platform?("centos", "redhat", "fedora", "suse", "arch") +if platform?("redhat", "centos", "scientific", "fedora", "suse", "arch") apache_module "log_config" else include_recipe "apache2" diff --git a/apache2/recipes/mod_php5.rb b/apache2/recipes/mod_php5.rb index 80e2bce96..14cbbeff4 100644 --- a/apache2/recipes/mod_php5.rb +++ b/apache2/recipes/mod_php5.rb @@ -22,16 +22,57 @@ package "libapache2-mod-php5" do action :install end + when "arch" package "php-apache" do action :install notifies :run, resources(:execute => "generate-module-list"), :immediately end -when "centos", "redhat", "fedora" - package "php53" do + +when "redhat", "centos", "scientific" + package "php package" do + if node.platform_version.to_f < 6.0 + package_name "php53" + else + package_name "php" + end action :install notifies :run, resources(:execute => "generate-module-list"), :immediately end + + # delete stock config + file "#{node[:apache][:dir]}/conf.d/php.conf" do + action :delete + end + + # replace with debian style config + template "#{node[:apache][:dir]}/mods-available/php5.conf" do + source "mods/php5.conf.erb" + notifies :restart, "service[apache2]" + end + +when "fedora" + package "php package" do + package_name "php" + action :install + notifies :run, resources(:execute => "generate-module-list"), :immediately + end + + # delete stock config + file "#{node[:apache][:dir]}/conf.d/php.conf" do + action :delete + end + + # replace with debian style config + template "#{node[:apache][:dir]}/mods-available/php5.conf" do + source "mods/php5.conf.erb" + notifies :restart, "service[apache2]" + end end -apache_module "php5" +apache_module "php5" do + case node['platform'] + when "redhat","centos","scientific","fedora" + filename "libphp5.so" + end +end diff --git a/apache2/recipes/mod_python.rb b/apache2/recipes/mod_python.rb index d524556ea..f0e5a8be4 100644 --- a/apache2/recipes/mod_python.rb +++ b/apache2/recipes/mod_python.rb @@ -22,7 +22,7 @@ package "libapache2-mod-python" do action :install end - when "centos", "redhat", "fedora" + when "redhat", "centos", "scientific", "fedora" package "mod_python" do action :install notifies :run, resources(:execute => "generate-module-list"), :immediately diff --git a/apache2/recipes/mod_ssl.rb b/apache2/recipes/mod_ssl.rb index 97123842f..edd988a40 100644 --- a/apache2/recipes/mod_ssl.rb +++ b/apache2/recipes/mod_ssl.rb @@ -17,7 +17,7 @@ # limitations under the License. # -if platform?("centos", "redhat", "fedora") +if platform?("redhat", "centos", "scientific", "fedora") package "mod_ssl" do action :install notifies :run, resources(:execute => "generate-module-list"), :immediately diff --git a/apache2/recipes/mod_wsgi.rb b/apache2/recipes/mod_wsgi.rb index ede032088..95eda1d3c 100644 --- a/apache2/recipes/mod_wsgi.rb +++ b/apache2/recipes/mod_wsgi.rb @@ -20,7 +20,7 @@ case node[:platform] when "debian","ubuntu" package "libapache2-mod-wsgi" -when "redhat","centos","fedora", "arch" +when "redhat", "centos", "scientific", "fedora", "arch" package "mod_wsgi" end diff --git a/apache2/templates/default/a2dissite.erb b/apache2/templates/default/a2dissite.erb index 41feda57f..69361abd0 100644 --- a/apache2/templates/default/a2dissite.erb +++ b/apache2/templates/default/a2dissite.erb @@ -5,7 +5,7 @@ SYSCONFDIR='<%= node[:apache][:dir] %>' if [ -z $1 ]; then echo "Which site would you like to disable?" echo -n "Your choices are: " - ls $node[:apache][:dir]/sites-enabled/* | \ + ls $SYSCONFDIR/sites-enabled/* | \ sed -e "s,$SYSCONFDIR/sites-enabled/,,g" | xargs echo echo -n "Site name? " read SITENAME @@ -26,4 +26,4 @@ fi if ! rm $SYSCONFDIR/sites-enabled/$SITENAME 2>/dev/null; then rm -f $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" fi -echo "Site $SITENAME disabled; reload apache to disable." \ No newline at end of file +echo "Site $SITENAME disabled; reload apache to disable." diff --git a/apache2/templates/default/apache2.conf.erb b/apache2/templates/default/apache2.conf.erb index 02b49a55f..214c57ee9 100644 --- a/apache2/templates/default/apache2.conf.erb +++ b/apache2/templates/default/apache2.conf.erb @@ -18,15 +18,7 @@ LockFile logs/accept.lock # PidFile: The file in which the server should record its process # identification number when it starts. # -<% if node[:platform] == "debian" || node[:platform] == "ubuntu" -%> -PidFile /var/run/apache2.pid -<% elsif node[:platform] == "centos" || node[:platform] == "redhat" || node[:platform] == "fedora" -%> -PidFile /var/run/httpd.pid -<% elsif node[:platform] == "arch" -%> -PidFile /var/run/httpd/httpd.pid -<% else -%> -PidFile logs/httpd.pid -<% end -%> +PidFile <%= node[:apache][:pid_file] %> # # Timeout: The number of seconds before receives and sends time out. diff --git a/apache2/templates/default/default-site.erb b/apache2/templates/default/default-site.erb index 14b25639c..60d23d546 100644 --- a/apache2/templates/default/default-site.erb +++ b/apache2/templates/default/default-site.erb @@ -42,7 +42,7 @@ Allow from 127.0.0.0/255.0.0.0 ::1/128 - <% if node[:platform] == "centos" || node[:platform] == "redhat" || node[:platform] == "fedora" -%> + <% if %w{ redhat centos scientific fedora }.include?(node[:platform]) -%> # # This configuration file enables the default "Welcome" # page if there is no default index page present for diff --git a/apache2/templates/default/mods/authopenid.load.erb b/apache2/templates/default/mods/authopenid.load.erb index 71125085a..e2364f752 100644 --- a/apache2/templates/default/mods/authopenid.load.erb +++ b/apache2/templates/default/mods/authopenid.load.erb @@ -1,6 +1 @@ -<% case node[:platform] -%> -<% when "arch" -%> -LoadModule authopenid_module /usr/lib/httpd/modules/mod_auth_openid.so -<% else -%> -LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so -<% end -%> +LoadModule authopenid_module <%= node[:apache][:lib_dir] %>/modules/mod_auth_openid.so diff --git a/apache2/templates/default/mods/fcgid.conf.erb b/apache2/templates/default/mods/fcgid.conf.erb index 0e6fc9a89..46e6b71bd 100644 --- a/apache2/templates/default/mods/fcgid.conf.erb +++ b/apache2/templates/default/mods/fcgid.conf.erb @@ -3,7 +3,7 @@ IPCConnectTimeout 20 -<% if node[:platform] == "centos" || node[:platform] == "redhat" || node[:platform] == "fedora" -%> +<% if %w{ redhat centos scientific fedora }.include?(node[:platform]) -%> # Sane place to put sockets and shared memory file SocketPath run/mod_fcgid SharememPath run/mod_fcgid/fcgid_shm diff --git a/apache2/templates/default/mods/php5.conf.erb b/apache2/templates/default/mods/php5.conf.erb new file mode 100644 index 000000000..5d2f9112f --- /dev/null +++ b/apache2/templates/default/mods/php5.conf.erb @@ -0,0 +1,16 @@ + + + SetHandler application/x-httpd-php + + + SetHandler application/x-httpd-php-source + + # To re-enable php in user directories comment the following lines + # (from to .) Do NOT set it to On as it + # prevents .htaccess files from disabling it. + + + php_admin_value engine Off + + + diff --git a/apache2/templates/default/mods/ssl.conf.erb b/apache2/templates/default/mods/ssl.conf.erb index 3b7735f66..cc91b8b77 100644 --- a/apache2/templates/default/mods/ssl.conf.erb +++ b/apache2/templates/default/mods/ssl.conf.erb @@ -39,7 +39,7 @@ SSLPassPhraseDialog builtin # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache dbm:/var/run/apache2/ssl_scache -<% if node[:platform] == "centos" || node[:platform] == "redhat" || node[:platform] == "fedora" -%> +<% if %w{ redhat centos scientific fedora }.include?(node[:platform]) -%> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) <% else -%> SSLSessionCache shmcb:/var/run/apache2/ssl_scache @@ -49,7 +49,7 @@ SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. -<% if node[:platform] == "centos" || node[:platform] == "redhat" || node[:platform] == "fedora" -%> +<% if %w{ redhat centos scientific fedora }.include?(node[:platform]) -%> SSLMutex default <% else -%> SSLMutex file:/var/run/apache2/ssl_mutex