diff --git a/apache2/templates/centos/apache2.conf.erb b/apache2/templates/centos/apache2.conf.erb new file mode 100644 index 0000000000..efedca6b09 --- /dev/null +++ b/apache2/templates/centos/apache2.conf.erb @@ -0,0 +1,249 @@ +# +# Generated by Chef +# +# Based on the Ubuntu apache2.conf + +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +ServerRoot "<%= node[:apache][:dir] %>" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +Mutex file:<%= node[:apache][:lock_dir] %> default + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile <%= node[:apache][:pid_file] %> + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout <%= node[:apache][:timeout] %> + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive <%= node[:apache][:keepalive] %> + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests <%= node[:apache][:keepaliverequests] %> + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout <%= node[:apache][:keepalivetimeout] %> + +## +## Server-Pool Size Regulation (MPM specific) +## + +# prefork MPM +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# MaxRequestWorkers: maximum number of server processes allowed to start (was: MaxClients) +# MaxConnectionsPerChild: maximum number of requests a server process serves (was: MaxRequestsPerChild) + + StartServers <%= node[:apache][:prefork][:startservers] %> + MinSpareServers <%= node[:apache][:prefork][:minspareservers] %> + MaxSpareServers <%= node[:apache][:prefork][:maxspareservers] %> + ServerLimit <%= node[:apache][:prefork][:serverlimit] %> + MaxRequestWorkers <%= node[:apache][:prefork][:maxrequestworkers] %> + MaxConnectionsPerChild <%= node[:apache][:prefork][:maxconnectionsperchild] %> + + +# worker MPM +# StartServers: initial number of server processes to start +# MaxRequestWorkers: maximum number of server processes allowed to start (was: MaxClients) +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxConnectionsPerChild: maximum number of requests a server process serves (was: MaxRequestsPerChild) + + StartServers <%= node[:apache][:worker][:startservers] %> + MaxRequestWorkers <%= node[:apache][:worker][:maxrequestworkers] %> + MinSpareThreads <%= node[:apache][:worker][:minsparethreads] %> + MaxSpareThreads <%= node[:apache][:worker][:maxsparethreads] %> + ThreadsPerChild <%= node[:apache][:worker][:threadsperchild] %> + MaxConnectionsPerChild <%= node[:apache][:worker][:maxconnectionsperchild] %> + + +# These need to be set in /etc/apache2/envvars +User <%= node[:apache][:user] %> +Group <%= node[:apache][:group] %> + +# +# DefaultType is the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +# Deprecated - just generates a warning. +# +#DefaultType text/plain + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog <%= node[:apache][:log_dir] %>/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel <%= node[:apache][:log_level] %> + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent +LogFormat "%v %A %a %u %{%Y-%m-%dT%H:%M:%S}t %X %s %>s %B %D cookie \"Referer\" \"%r\" \"User-Agent\" %P" ganglia + +ServerName 127.0.0.1 + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf.modules.d/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + + + Header always unset "Server" + Header always unset "X-Powered-By" + Header always unset "X-Runtime" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/templates/centos/mods/deflate.conf.erb b/apache2/templates/centos/mods/deflate.conf.erb new file mode 100644 index 0000000000..e5bb0a07e0 --- /dev/null +++ b/apache2/templates/centos/mods/deflate.conf.erb @@ -0,0 +1,7 @@ + + + AddOutputFilterByType DEFLATE <%= node[:apache][:deflate_types].join(' ') %> + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/templates/centos/mods/fcgid.conf.erb b/apache2/templates/centos/mods/fcgid.conf.erb new file mode 100644 index 0000000000..ace956d263 --- /dev/null +++ b/apache2/templates/centos/mods/fcgid.conf.erb @@ -0,0 +1,7 @@ + + FcgidConnectTimeout 20 + + + AddHandler fcgid-script .fcgi + + diff --git a/apache2/templates/centos/mods/php5.conf.erb b/apache2/templates/centos/mods/php5.conf.erb new file mode 100644 index 0000000000..2e9772fbfa --- /dev/null +++ b/apache2/templates/centos/mods/php5.conf.erb @@ -0,0 +1,27 @@ + + SetHandler application/x-httpd-php + + + SetHandler application/x-httpd-php-source + # Deny access to raw php sources by default + # To re-enable it's recommended to enable access to the files + # only in specific virtual host or directory + Order Deny,Allow + Deny from all + +# Deny access to files without filename (e.g. '.php') + + Order Deny,Allow + Deny from all + + +# Running PHP scripts in user directories is disabled by default +# +# To re-enable PHP in user directories comment the following lines +# (from to .) Do NOT set it to On as it +# prevents .htaccess files from disabling it. + + + php_admin_flag engine Off + + diff --git a/apache2/templates/centos/mods/proxy.conf.erb b/apache2/templates/centos/mods/proxy.conf.erb new file mode 100644 index 0000000000..b5980cfa4b --- /dev/null +++ b/apache2/templates/centos/mods/proxy.conf.erb @@ -0,0 +1,27 @@ + + + # If you want to use apache2 as a forward proxy, uncomment the + # 'ProxyRequests On' line and the block below. + # WARNING: Be careful to restrict access inside the block. + # Open proxy servers are dangerous both to your network and to the + # Internet at large. + # + # If you only want to use apache2 as a reverse proxy/gateway in + # front of some web application server, you DON'T need + # 'ProxyRequests On'. + + ProxyRequests Off + + AddDefaultCharset off + Require all denied + #Require local + + + # Enable/disable the handling of HTTP/1.1 "Via:" headers. + # ("Full" adds the server version; "Block" removes all outgoing Via: headers) + # Set to one of: Off | On | Full | Block + ProxyVia On + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/templates/centos/mods/ssl.conf.erb b/apache2/templates/centos/mods/ssl.conf.erb new file mode 100644 index 0000000000..d25d335d26 --- /dev/null +++ b/apache2/templates/centos/mods/ssl.conf.erb @@ -0,0 +1,83 @@ + + + # Pseudo Random Number Generator (PRNG): + # Configure one or more sources to seed the PRNG of the SSL library. + # The seed data should be of good random quality. + # WARNING! On some platforms /dev/random blocks if not enough entropy + # is available. This means you then cannot use the /dev/random device + # because it would lead to very long connection times (as long as + # it requires to make more entropy available). But usually those + # platforms additionally provide a /dev/urandom device which doesn't + # block. So, if available, use this one instead. Read the mod_ssl User + # Manual for more details. + # + SSLRandomSeed startup builtin + SSLRandomSeed startup file:/dev/urandom 512 + SSLRandomSeed connect builtin + SSLRandomSeed connect file:/dev/urandom 512 + + ## + ## SSL Global Context + ## + ## All SSL configuration in this context applies both to + ## the main server and all SSL-enabled virtual hosts. + ## + + # + # Some MIME-types for downloading Certificates and CRLs + # + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + + # Inter-Process Session Cache: + # Configure the SSL Session Cache: First the mechanism + # to use and second the expiring timeout (in seconds). + # (The mechanism dbm has known memory leaks and should not be used). + #SSLSessionCache dbm:/var/run/apache2/ssl_scache + SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) + SSLSessionCacheTimeout 300 + + # Semaphore: + # Configure the path to the mutual exclusion semaphore the + # SSL engine uses internally for inter-process synchronization. + # (Disabled by default, the global Mutex directive consolidates by default + # this) + #Mutex file:<%= node[:apache][:lock_dir] %>/ssl_mutex ssl-cache + + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. See the + # ciphers(1) man page from the openssl package for list of all available + # options. + # Enable only secure ciphers: + SSLCipherSuite HIGH:MEDIUM:!ADH:!aNULL:!MD5 + + # Speed-optimized SSL Cipher configuration: + # If speed is your main concern (on busy HTTPS servers e.g.), + # you might want to force clients to specific, performance + # optimized ciphers. In this case, prepend those ciphers + # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. + # Caveat: by giving precedence to RC4-SHA and AES128-SHA + # (as in the example below), most connections will no longer + # have perfect forward secrecy - if the server's key is + # compromised, captures of past or future traffic must be + # considered compromised, too. + #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 + #SSLHonorCipherOrder on + + # The protocols to enable. + # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 + # SSL v2 is no longer supported + SSLProtocol all + + # Allow insecure renegotiation with clients which do not yet support the + # secure renegotiation protocol. Default: Off + #SSLInsecureRenegotiation on + + # Whether to forbid non-SNI clients to access name based virtual hosts. + # Default: Off + #SSLStrictSNIVHostCheck On + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/templates/centos/mods/status.conf.erb b/apache2/templates/centos/mods/status.conf.erb new file mode 100644 index 0000000000..5f53ba7aa8 --- /dev/null +++ b/apache2/templates/centos/mods/status.conf.erb @@ -0,0 +1,29 @@ + + # Allow server status reports generated by mod_status, + # with the URL of http://servername/server-status + # Uncomment and change the "192.0.2.0/24" to allow access from other hosts. + + + SetHandler server-status + Require local + #Require ip 192.0.2.0/24 + + + # Keep track of extended status information for each request + ExtendedStatus On + + # Determine if mod_status displays the first 63 characters of a request or + # the last 63, assuming the request itself is greater than 63 chars. + # Default: Off + #SeeRequestTail On + + + + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On + + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/templates/centos/ports.conf.erb b/apache2/templates/centos/ports.conf.erb new file mode 100644 index 0000000000..715e2362f8 --- /dev/null +++ b/apache2/templates/centos/ports.conf.erb @@ -0,0 +1,11 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +#This file generated via template by Chef. +<% node[:apache][:listen_ports].each do |port| -%> +Listen <%= port %> + +<% end -%> + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet