Commit adcf6a43 authored by Scotty Logan's avatar Scotty Logan
Browse files

rewrote manifest based on idp_webauth manifest

parent 2539fba4
......@@ -19,33 +19,30 @@
# Copyright (c) 2016 The Board of Trustees of the Leland Stanford Junior
# University
#
class webauth {
if ($::packer_builder_type == 'docker' or $::virtual == 'docker') {
$apache_enable = false
$apache_ensure = 'stopped'
$apache_logroot = '/dev'
$apache_access = 'stdout'
$apache_error = 'stdout'
} else {
$apache_enable = true
$apache_ensure = 'running'
$apache_logroot = '/var/log/apache2'
$apache_access = 'access.log'
$apache_error = 'error.log'
}
class webauth (
$svc_enable,
$svc_ensure,
$logroot,
$access_log,
$error_log,
$log_format,
$servername,
$serveradmin,
$keyring,
$keytab,
$servicetokencache,
) {
class { 'apache':
service_enable => $apache_enable,
service_ensure => $apache_ensure,
service_enable => $svc_enable,
service_ensure => $svc_ensure,
default_mods => false,
default_confd_files => false,
default_vhost => false,
log_formats => {
vhost_common => '%v %h %l %u %t \"%r\" %>s %b',
combined_elb => '%v:%p %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"'
custom => $log_format,
},
logroot => $apache_logroot,
logroot => $logroot,
}
apache::vhost { 'webauth':
......@@ -54,16 +51,16 @@ class webauth {
docroot_owner => 'root',
docroot_group => 'www-data',
docroot_mode => '0755',
servername => '${ENV_DOMAIN}', # lint:ignore:single_quote_string_with_variables
serveradmin => '${ADMIN_MAIL}', # lint:ignore:single_quote_string_with_variables
access_log_format => 'combined_elb',
access_log_file => $apache_access,
error_log_file => $apache_error,
servername => $servername,
serveradmin => $serveradmin,
access_log_format => 'custom',
access_log_file => $access_log,
error_log_file => $error_log,
request_headers => [
'unset Proxy early',
],
redirect_source => '/',
redirect_dest => 'https://${ENV_DOMAIN}', # lint:ignore:single_quote_string_with_variables
redirect_dest => "https://${servername}",
redirect_status => 'permanent',
}
......@@ -71,9 +68,21 @@ class webauth {
port => 8443,
ssl => true,
ssl_honorcipherorder => true,
ssl_honorcipherorder => 'on',
ssl_protocol => [ 'all', '-SSLv2', '-SSLv3' ],
ssl_cipher => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
# lint:ignore:140chars
ssl_cipher => join([
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256',
'kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:',
'DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA',
'AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES',
'CAMELLIA:DES-CBC3-SHA',
'!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
], ':'),
# lint:endignore
ssl_options => [ '+FakeBasicAuth', '+StrictRequire', '+StdEnvVars' ],
ssl_cert => '/etc/ssl/certs/server.pem',
ssl_chain => '/etc/ssl/certs/server-chain.pem',
......@@ -83,11 +92,11 @@ class webauth {
docroot_owner => 'root',
docroot_group => 'www-data',
docroot_mode => '0755',
servername => '${ENV_DOMAIN}', # lint:ignore:single_quote_string_with_variables
serveradmin => '${ADMIN_MAIL}', # lint:ignore:single_quote_string_with_variables
access_log_format => 'combined_elb',
access_log_file => $apache_access,
error_log_file => $apache_error,
servername => $servername,
serveradmin => $serveradmin,
access_log_format => 'custom',
access_log_file => $access_log,
error_log_file => $error_log,
request_headers => [
'unset Proxy early',
],
......@@ -100,6 +109,9 @@ class webauth {
additional_includes => [
'/etc/apache2/conf.d/webauth_extra.conf',
],
custom_fragment => '
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxyList /etc/apache2/conf.d/remoteip-proxylist.txt',
}
apache::mod {
......@@ -107,10 +119,9 @@ class webauth {
'env',
'rewrite',
'authn_core',
'authz_user',
'access_compat',
'proxy',
'proxy_http',
'proxy_ajp',
'remoteip',
]:
}
......@@ -119,6 +130,30 @@ class webauth {
package_ensure => 'latest',
}
apache::mod { 'webauthldap':
package => 'libapache2-mod-webauthldap',
package_ensure => 'latest',
require => Package['webauth'],
}
apache::custom_config { 'webauth':
ensure => present,
content => '
# WebAuth configuration.
WebAuthLoginURL https://weblogin.stanford.edu/login/
WebAuthWebKdcURL https://weblogin.stanford.edu/webkdc-service/
WebAuthWebKdcPrincipal service/webkdc@stanford.edu
WebAuthKeyring /var/lib/webauth/keyring
WebAuthKeytab /etc/webauth/keytab
WebAuthServiceTokenCache /var/lib/webauth/service_token_cache
WebAuthSSLRedirect on
WebAuthKeyringAutoUpdate off
# WebAuth LDAP configuration.
WebAuthLdapHost ldap.stanford.edu
WebAuthLdapBase cn=people,dc=stanford,dc=edu
WebAuthLdapAuthorizationAttribute suPrivilegeGroup',
}
file {
[
'/var/log/apache2',
......@@ -133,12 +168,29 @@ class webauth {
require => Package['httpd'],
}
# ensure the private key directory is readable by the apache user
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'www-data',
mode => '0750',
require => Package['httpd'],
}
file { '/etc/apache2/conf.d/platform_env.conf':
ensure => file,
owner => '0',
group => '0',
mode => '0644',
source => "puppet:///modules/${module_name}/apache2/platform_env.conf",
source => "puppet:///modules/${module_name}/platform_env.conf",
}
file { '/etc/apache2/conf.d/proxylist.txt':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => "puppet:///modules/${module_name}/proxylist.txt"
}
file { '/start.sh':
......@@ -149,4 +201,12 @@ class webauth {
source => "puppet:///modules/${module_name}/start.sh",
}
file { '/etc/krb5.conf':
ensure => file,
owner => '0',
group => '0',
mode => '0644',
source => "puppet:///modules/${module_name}/krb5.conf",
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment