Apache module question...

[Sean Alderman]

Hi,
  I know you've moved apache into the tiny puppet arena...but I'm working on extending the apache module to manage the default conf.d/ssl.conf file.  And I don't seem to be able to reproduce the results you get with the main httpd.conf file.

One could declare the apache module like so:

class { 'apache':
  template => 'site/apache/httpd.conf.erb',
}

  or simply

class { 'apache': }

and it works, it leaves the httpd.conf file alone to whatever the package provided.  As the README shows, we can pass the template parameter as well and that works great.

So I've tried to duplicate that within the SSL subclass, like so:

class { 'apache::ssl':
  template_ssl => 'site/apache/ssl.conf.erb',
}

 or simply

class {'apache::ssl': }

In the develop branch of my fork (https://github.com/salderma/puppet-apache/tree/develop) of this module, I've basically copied your 'apache.conf' file resource into the SSL subclass and added the parameters required.  What seems to happen is that if I don't specify template_ssl, then I end up with an empty conf.d/ssl.conf file.  So I'm completely missing your magic on who you don't set a default value for source or template and manage not to clobber the httpd.conf file provided by the package. 

Do you have an idea of what I'm missing?

Thank you!

[Alessandro Franceschi]

Hi Sean,

it looks ok at first glance.

On what OS are you making the tests?
Are you sure the ssl.conf file the module creates (empty) has the same path of the one by the apache ssl package?

What happens when you pass the template_ssl parameter?

The module manages, by default, also the httpd.conf file, so it would create an empty file if no source or template is passed and there weren't any pre-existing file at the given path.

It looks like this is what's happening with the ssl.conf file.

al

--
You received this message because you are subscribed to the Google Groups "Example42 Puppet Modules" group.
To unsubscribe from this group and stop receiving emails from it, send an email to example42-puppet-m...@googlegroups.com.
To post to this group, send email to example42-pu...@googlegroups.com.
Visit this group at http://groups.google.com/group/example42-puppet-modules.
For more options, visit https://groups.google.com/d/optout.

--

book { 'Extending Puppet':

  author   => 'Alessandro Franceschi',

  url      => 'http://amzn.to/1nenFti',

  comments => 'Potentially the best and most important book on Puppet yet.',

}

[Sean Alderman]

Hi Al,

  In writing up an reply showing my test env, I've discovered and solved the problem -

In ssl.pp:

require => Package['apache'],

Should be 'mod_ssl', Apache is already installed, the module creates an empty file from the empty template/source before mod_ssl is installed. Then mod_ssl package is installed and a new file  is created as ssl.conf.rpmnew.

Anyway, here's the test env details with what was happening:

node 'client1' {
  class { 'puppet': }
  class { 'apache': }
  class { 'apache::ssl':
    ssl_template => 'udfiles/apache/ssl.conf-secure.erb',
  }
}

So the sole purpose of that ssl.conf template is to manage SSLProtocol and SSLCiphers so that by default we're on a more secure standard.  First puppet run produces this:

Notice: /Stage[main]/Apache/Package[apache]/ensure: created
Notice: /Stage[main]/Apache::Ssl/File[ssl.conf]/ensure: created
Info: /Stage[main]/Apache::Ssl/File[ssl.conf]: Scheduling refresh of Service[apache]
Notice: /Stage[main]/Apache::Ssl/Package[mod_ssl]/ensure: created
Info: /Stage[main]/Apache::Ssl/Package[mod_ssl]: Scheduling refresh of Service[apache]
Notice: /Stage[main]/Apache::Ssl/File[/var/cache/mod_ssl/scache]/ensure: created
Info: /Stage[main]/Apache::Ssl/File[/var/cache/mod_ssl/scache]: Scheduling refresh of Service[apache]
Notice: /Stage[main]/Apache/Service[apache]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Apache/Service[apache]: Unscheduling refresh on Service[apache]

Using NMAP I can validate my SSL security -

[root@puppet vagrant]# nmap --script ssl-enum-ciphers client1
...
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (12)
...

All is good.  Now, to undo this config, I yum remove httpd and mod_ssl, and comment out the template_ssl param in the node definition, then run puppet again.  Note the removal of mod_ssl creates a ssl.conf.rpmsave file.

[root@client1 ~]# puppet agent --test
...
Info: Applying configuration version '1424368562'
Notice: /Stage[main]/Apache/Package[apache]/ensure: created
Notice: /Stage[main]/Apache::Ssl/File[ssl.conf]/ensure: created
Info: /Stage[main]/Apache::Ssl/File[ssl.conf]: Scheduling refresh of Service[apache]
Notice: /Stage[main]/Apache::Ssl/Package[mod_ssl]/ensure: created
Info: /Stage[main]/Apache::Ssl/Package[mod_ssl]: Scheduling refresh of Service[apache]
Notice: /Stage[main]/Apache/Service[apache]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Apache/Service[apache]: Unscheduling refresh on Service[apache]
Notice: Finished catalog run in 15.29 seconds
...
[root@client1 ~]# ls -l /etc/httpd/conf.d/
total 32
-rw-r--r-- 1 root root  392 Oct 16 16:49 README
-rw-r--r-- 1 root root    0 Feb 19 18:56 ssl.conf
-rw-r--r-- 1 root root 9473 Aug 15  2014 ssl.conf.rpmnew
-rw-r--r-- 1 root root 9548 Feb 19 18:46 ssl.conf.rpmsave
-rw-r--r-- 1 root root  299 Aug 15  2014 welcome.conf

So, now that this is fixed, and given that you're moving away from these modules, do you want me to send over a PR for this new feature?

[Alessandro Franceschi]

Yes, PRs are always welcomed, as people who want to maintain the existing "nextgen" modules.

al

--
You received this message because you are subscribed to the Google Groups "Example42 Puppet Modules" group.
To unsubscribe from this group and stop receiving emails from it, send an email to example42-puppet-m...@googlegroups.com.
To post to this group, send email to example42-pu...@googlegroups.com.
Visit this group at http://groups.google.com/group/example42-puppet-modules.
For more options, visit https://groups.google.com/d/optout.

[John Miller]

Hi Sean,

Would you be willing to team up on this?  I just submitted issue #81 on this an hour or so ago; no reason for us to duplicate the other's code.  If params_lookup() isn't working, perhaps the standard

class apache::ssl(
  ssl_template = $apache::ssl::params::ssl_template
  ssl_options  = $apache::ssl::params::ssl_options
) inherits apache::ssl::params {}

would be a good choice.  Alternatively, we'd have to patch params_lookup(), which would have wider effects.

[Sean Alderman]

I have my code from https://github.com/example42/puppet-apache/pull/76 deployed in my environment.  It seems to function as expected with no issues related to params_lookup().

I don't know enough about what the potential flaws are to setup test cases confirm/deny them.  Otherwise, if Al wants me to rework to make the params not in the ssl class itself and in the parent, it's easy enough to change it up.  I can also test it with an ENC to alleviate my concerns about namespace problems.

[John Miller]

Sweet--I'll grab your code and try it out. Are you passing your SSL
options via the $options parameter in the main class?

John

[Sean Alderman]

for my stuff I don't use the $options param.

My update to the ssl subclass allows it to be declared with parameters.  From ssl.pp:

class apache::ssl (
  $ssl_port = params_lookup( 'ssl_port' ),
  $ssl_source = params_lookup( 'ssl_source' ),
  $ssl_template = params_lookup( 'ssl_template' ),
) inherits apache::params {
...

So I would define a node with apache and apache::ssl and pass the appropriate params to each.

[John Miller]

Thanks, Sean. I've defined a node and gotten your code working, but
if you want to set SSLCipherSuite (for example) differently across
different hosts, are you just passing in different template files for
each?

John

> --
> You received this message because you are subscribed to a topic in the

> Google Groups "Example42 Puppet Modules" group.

> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/example42-puppet-modules/gGo44WIr284/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> example42-puppet-m...@googlegroups.com.
> To post to this group, send email to
> example42-pu...@googlegroups.com.
> Visit this group at http://groups.google.com/group/example42-puppet-modules.
> For more options, visit https://groups.google.com/d/optout.



--

John Miller
Systems Engineer
Brandeis University
john...@brandeis.edu
(781) 736-4619

[Sean Alderman]

That is correct. I basically have two approaches... Default and Secure. 

The Secure using a template that sets the following:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1
ServerTokens Prod
ServerSignature Off

I think those are the only deviations from the default config...It's been a while since I designed the template.

> example42-puppet-modules+unsub...@googlegroups.com.

[John Miller]

Thanks for the reply, Sean. From a cipher suite standpoint, I like
what you're doing--the !SSLv3 and !SSLv2 abbreviations make things
much much cleaner than our default of

kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:!kECDH:+RSA:!PSK:!SRP:!LOW:!aNULL:!EXP:!DSS:!eNULL:!RC4:!3DES:!DES:!CAMELLIA:!SEED:!IDEA

John

>> > example42-puppet-m...@googlegroups.com.

>> > To post to this group, send email to
>> > example42-pu...@googlegroups.com.
>> > Visit this group at
>> > http://groups.google.com/group/example42-puppet-modules.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> John Miller
>> Systems Engineer
>> Brandeis University
>> john...@brandeis.edu
>> (781) 736-4619
>

> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Example42 Puppet Modules" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/example42-puppet-modules/gGo44WIr284/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> example42-puppet-m...@googlegroups.com.