Ask Your Question
0

Puppet Apache module : template for /etc/apache2/conf-available/security.conf

asked 2016-08-29 10:23:11 -0500

spic gravatar image

Hello, even after reading the full https://github.com/puppetlabs/puppetl... page and googeling around i did not find answer to my questions and therefore i hope some of you could help. On Ubuntu LTS 16.04 i am using puppet 3.8.5 and the pupetlabs apache module to deploy some apache servers on some Ubuntu servers. I have been able to find the template file (/etc/puppet/environments/production/modules/apache/templates/httpd.conf.erb to modify the default /etc/apache2/apache2.conf configuration file but i am unable to find the equivalent template file to modify the /etc/apache2/conf-available/security.conf (nor to find where/how to disable it).

Any help will be welcome, thanks a lot. With Regards

edit retag flag offensive close merge delete

Comments

What exactly are you trying to do? Are you managing the contents of that file outside of puppet, or atleast outside of the official puppet module? (to answer your actual question, the resource for that file is in manifests/mod/security.pp , and that references templates/mod/security.conf.erb )

DarylW gravatar imageDarylW ( 2016-08-29 12:18:43 -0500 )edit

Thanks DarylW for answering. On the contrary i am trying to have all the apache conf files managed through the official puppet module. About your answers i think i was not clear enough. The files you are talking of are, in my opinion, related to modsec which i am not using. The file i am talking of

spic gravatar imagespic ( 2016-08-30 03:04:12 -0500 )edit

is /etc/apache2/conf-available/security.conf It contains declarations like : ServerTokens OS #ServerTokens Full TraceEnable Off #TraceEnable On #Header set X-Content-Type-Options: "nosniff" #Header set X-Frame-Options: "sameorigin" that i want to change/enforce via puppet

spic gravatar imagespic ( 2016-08-30 03:08:28 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-08-31 08:43:52 -0500

spic gravatar image

updated 2016-08-31 08:44:22 -0500

Not an answer unfortunately but a small update. I am still stuck but i realize now that my problem is somehow related to the

templates/mod/security.conf.erb and modsec

you were talking of DarylW. But i don't understand why....

Again what i am trying to do is manage the file

"/etc/apache2/conf-available/security.conf"

via puppet to change its content. I am managing apache thanks to the official puppet module. This means that according to me this file "/etc/apache2/conf-available/security.conf" came via puppet apache module. Not finding any related template i decided to manage it this way in my manifest :

class { 'apache':
 service_ensure => true,
 mpm_module    => 'prefork',
 default_vhost => false,
 default_mods => true,
}
#Trying Apache Hardening
file { '/etc/apache2/conf-available/security.conf':
ensure => 'present',
path => '/etc/apache2/conf-available/security.conf',
owner => root,
group => root,
mode => 644,
ensure => 'file',
source => 'puppet:///files/etc_apache2_conf-available_security.conf',
#Ensure that http package is installed before we push the final /etc/apache2/conf-available/security.conf config file
require => Package[$admintools],
}
#If /etc/apache2/conf-available/security.conf changes then refresh the service http
File['/etc/apache2/conf-available/security.conf'] ~> Service['http']

But running the agent on the client side i get the following error message :

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate parameter 'ensure' for on File[/etc/apache2/conf-available/security.conf] at /etc/puppet/environments/production/modules/myownmodule/manifests/init.pp:80 on node pup01

Then looking for the string security.conf in the full /etc/puppet directory i find it here only :

/etc/puppet/environments/production/modules/apache/manifests/mod/security.pp

which contains :

file { 'security.conf':
ensure  => file,
content => template('apache/mod/security.conf.erb'),
mode    => $::apache::file_mode,
path    => "${::apache::mod_dir}/security.conf",
owner   => $::apache::params::user,
group   => $::apache::params::group,
require => Exec["mkdir ${::apache::mod_dir}"],
before  => File[$::apache::mod_dir],
notify  => Class['apache::service'],
}

but the "security.conf" we are talking of here is the one related to the modsec config (path => "${::apache::mod_dir}/security.conf"), not the file "/etc/apache2/conf-available/security.conf" i am concerned with.

Well i am stuck!

edit flag offensive delete link more

Comments

Just for information I think i found my error....I was using (my mistake!) both ensure => 'present', and ensure => 'file', for the same file resource!

spic gravatar imagespic ( 2016-10-12 07:37:37 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2016-08-29 10:23:11 -0500

Seen: 60 times

Last updated: Aug 31 '16