From: Tom Hughes Date: Thu, 30 May 2013 20:40:23 +0000 (+0100) Subject: Add apache cookbook X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/d228f465b5bf9f5dffedcebad5c7fadcbba21cc3 Add apache cookbook --- diff --git a/cookbooks/apache/README.rdoc b/cookbooks/apache/README.rdoc new file mode 100644 index 000000000..3de2ec7a3 --- /dev/null +++ b/cookbooks/apache/README.rdoc @@ -0,0 +1,8 @@ += DESCRIPTION: + += REQUIREMENTS: + += ATTRIBUTES: + += USAGE: + diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb new file mode 100644 index 000000000..23ef3397a --- /dev/null +++ b/cookbooks/apache/attributes/default.rb @@ -0,0 +1,27 @@ +default[:apache][:mpm] = "worker" + +default[:apache][:timeout] = 300 + +default[:apache][:keepalive] = true + +default[:apache][:prefork][:start_servers] = 5 +default[:apache][:prefork][:min_spare_servers] = 5 +default[:apache][:prefork][:max_spare_servers] = 10 +default[:apache][:prefork][:max_clients] = 150 +default[:apache][:prefork][:max_requests_per_child] = 0 + +default[:apache][:worker][:start_servers] = 2 +default[:apache][:worker][:min_spare_threads] = 25 +default[:apache][:worker][:max_spare_threads] = 75 +default[:apache][:worker][:thread_limit] = 64 +default[:apache][:worker][:threads_per_child] = 25 +default[:apache][:worker][:max_clients] = 150 +default[:apache][:worker][:max_requests_per_child] = 0 + +default[:apache][:event][:start_servers] = 2 +default[:apache][:event][:max_clients] = 150 +default[:apache][:event][:min_spare_threads] = 25 +default[:apache][:event][:max_spare_threads] = 75 +default[:apache][:event][:thread_limit] = 64 +default[:apache][:event][:threads_per_child] = 25 +default[:apache][:event][:max_requests_per_child] = 0 diff --git a/cookbooks/apache/definitions/apache_module.rb b/cookbooks/apache/definitions/apache_module.rb new file mode 100644 index 000000000..4ac89432d --- /dev/null +++ b/cookbooks/apache/definitions/apache_module.rb @@ -0,0 +1,70 @@ +# +# Cookbook Name:: apache +# Definition:: apache_module +# +# Copyright 2010, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +define :apache_module, :action => [ :install, :enable ], :variables => {} do + name = params[:name] + module_action = params[:action] + + if params[:package].nil? or params[:package].empty? + package_name = "libapache2-mod-#{name}" + else + package_name = params[:package] + end + + if module_action.include?(:install) + package package_name do + action :install + not_if { File.exists?("/etc/apache2/mods-available/#{name}.load") } + end + + if params[:conf] + template "/etc/apache2/mods-available/#{name}.conf" do + source params[:conf] + owner "root" + group "root" + mode 0644 + variables params[:variables] + if File.exists?("/etc/apache2/mods-enabled/#{name}.load") + notifies :reload, resources(:service => "apache2") + end + end + end + end + + if module_action.include?(:enable) + execute "a2enmod-#{name}" do + command "/usr/sbin/a2enmod #{name}" + notifies :restart, resources(:service => "apache2") + not_if { File.exists?("/etc/apache2/mods-enabled/#{name}.load") } + end + elsif module_action.include?(:disable) or module_action.include?(:remove) + execute "a2dismod-#{name}" do + command "/usr/sbin/a2dismod #{name}" + notifies :restart, resources(:service => "apache2") + only_if { File.exists?("/etc/apache2/mods-enabled/#{name}.load") } + end + end + + if module_action.include?(:remove) + package package_name do + action :remove + only_if { File.exists?("/etc/apache2/mods-available/#{name}.load") } + end + end +end diff --git a/cookbooks/apache/definitions/apache_site.rb b/cookbooks/apache/definitions/apache_site.rb new file mode 100644 index 000000000..c0895959d --- /dev/null +++ b/cookbooks/apache/definitions/apache_site.rb @@ -0,0 +1,60 @@ +# +# Cookbook Name:: apache +# Definition:: apache_site +# +# Copyright 2010, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +define :apache_site, :action => [ :create, :enable ], :variables => {} do + name = params[:name] + directory = params[:directory] || "/var/www/#{name}" + site_action = params[:action] + link_name = name == "default" ? "000-default" : name + + if site_action.include?(:create) or site_action.include?(:enable) + template "/etc/apache2/sites-available/#{name}" do + cookbook params[:cookbook] + source params[:template] + owner "root" + group "root" + mode 0644 + variables params[:variables].merge(:name => name, :directory => directory) + if File.exists?("/etc/apache2/sites-enabled/#{link_name}") + notifies :reload, resources(:service => "apache2") + end + end + end + + if site_action.include?(:enable) + execute "a2ensite-#{name}" do + command "/usr/sbin/a2ensite #{name}" + notifies :restart, resources(:service => "apache2") + not_if { File.exists?("/etc/apache2/sites-enabled/#{link_name}") } + end + elsif site_action.include?(:disable) or site_action.include?(:delete) + execute "a2dissite-#{name}" do + action :run + command "/usr/sbin/a2dissite #{name}" + notifies :restart, resources(:service => "apache2") + only_if { File.exists?("/etc/apache2/sites-enabled/#{link_name}") } + end + end + + if site_action.include?(:delete) + file "/etc/apache2/sites-available/#{name}" do + action :delete + end + end +end diff --git a/cookbooks/apache/metadata.rb b/cookbooks/apache/metadata.rb new file mode 100644 index 000000000..3f1eadcf2 --- /dev/null +++ b/cookbooks/apache/metadata.rb @@ -0,0 +1,7 @@ +maintainer "OpenStreetMap Administrators" +maintainer_email "admins@openstreetmap.org" +license "Apache 2.0" +description "Installs and configures apache" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) +version "1.0.0" +depends "ssl" diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb new file mode 100644 index 000000000..9fa7fed85 --- /dev/null +++ b/cookbooks/apache/recipes/default.rb @@ -0,0 +1,55 @@ +# +# Cookbook Name:: apache +# Recipe:: default +# +# Copyright 2011, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package "apache2" +package "apache2-mpm-#{node[:apache][:mpm]}" + +admins = data_bag_item("apache", "admins") + +template "/etc/apache2/httpd.conf" do + source "httpd.conf.erb" + owner "root" + group "root" + mode 0644 +end + +service "apache2" do + action [ :enable, :start ] + supports :status => true, :restart => true, :reload => true + subscribes :restart, "package[apache2-mpm-#{node[:apache][:mpm]}]" + subscribes :reload, "template[/etc/apache2/httpd.conf]" +end + +apache_module "info" do + conf "info.conf.erb" + variables :hosts => admins["hosts"] +end + +apache_module "status" do + conf "status.conf.erb" + variables :hosts => admins["hosts"] +end + +apache_module "reqtimeout" do + action [ :disable ] +end + +munin_plugin "apache_accesses" +munin_plugin "apache_processes" +munin_plugin "apache_volume" diff --git a/cookbooks/apache/recipes/ssl.rb b/cookbooks/apache/recipes/ssl.rb new file mode 100644 index 000000000..37bf822c5 --- /dev/null +++ b/cookbooks/apache/recipes/ssl.rb @@ -0,0 +1,38 @@ +# +# Cookbook Name:: apache +# Recipe:: ssl +# +# Copyright 2011, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include_recipe "apache" +include_recipe "ssl" + +apache_module "ssl" + +template "/etc/apache2/conf.d/ssl" do + source "ssl.erb" + owner "root" + group "root" + mode 0644 + notifies :reload, resources(:service => "apache2") +end + +service "apache2" do + action :nothing + subscribes :restart, resources(:cookbook_file => "/etc/ssl/certs/rapidssl.pem") + subscribes :restart, resources(:cookbook_file => "/etc/ssl/certs/openstreetmap.pem") + subscribes :restart, resources(:file => "/etc/ssl/private/openstreetmap.key") +end diff --git a/cookbooks/apache/templates/default/httpd.conf.erb b/cookbooks/apache/templates/default/httpd.conf.erb new file mode 100644 index 000000000..0361ffd86 --- /dev/null +++ b/cookbooks/apache/templates/default/httpd.conf.erb @@ -0,0 +1,50 @@ +# DO NOT EDIT - This file is being maintained by Chef + +# Set the number of seconds before receives and sends time out +Timeout <%= node[:apache][:timeout] %> + +# Decide whether or not to allow persistent connections +Keepalive <%= node[:apache][:keepalive] ? "On" : "Off" %> +<% if node[:apache][:mpm] == "prefork" -%> + +# Configure prefork MPM +StartServers <%= node[:apache][:prefork][:start_servers] %> +<% if node[:apache][:prefork][:server_limit] -%> +ServerLimit <%= node[:apache][:prefork][:server_limit] %> +<% end -%> +MinSpareServers <%= node[:apache][:prefork][:min_spare_servers] %> +MaxSpareServers <%= node[:apache][:prefork][:max_spare_servers] %> +MaxClients <%= node[:apache][:prefork][:max_clients] %> +MaxRequestsPerChild <%= node[:apache][:prefork][:max_requests_per_child] %> +<% end -%> +<% if node[:apache][:mpm] == "worker" -%> + +# Configure worker MPM +StartServers <%= node[:apache][:worker][:start_servers] %> +<% if node[:apache][:worker][:server_limit] -%> +ServerLimit <%= node[:apache][:worker][:server_limit] %> +<% end -%> +MinSpareThreads <%= node[:apache][:worker][:min_spare_threads] %> +MaxSpareThreads <%= node[:apache][:worker][:max_spare_threads] %> +ThreadLimit <%= node[:apache][:worker][:thread_limit] %> +ThreadsPerChild <%= node[:apache][:worker][:threads_per_child] %> +MaxClients <%= node[:apache][:worker][:max_clients] %> +MaxRequestsPerChild <%= node[:apache][:worker][:max_requests_per_child] %> +<% end -%> +<% if node[:apache][:mpm] == "event" -%> + +# Configure event MPM +StartServers <%= node[:apache][:event][:start_servers] %> +<% if node[:apache][:event][:server_limit] -%> +ServerLimit <%= node[:apache][:event][:server_limit] %> +<% end -%> +MinSpareThreads <%= node[:apache][:event][:min_spare_threads] %> +MaxSpareThreads <%= node[:apache][:event][:max_spare_threads] %> +ThreadLimit <%= node[:apache][:event][:thread_limit] %> +ThreadsPerChild <%= node[:apache][:event][:threads_per_child] %> +MaxClients <%= node[:apache][:event][:max_clients] %> +MaxRequestsPerChild <%= node[:apache][:event][:max_requests_per_child] %> +<% end -%> + +# Default to UTF-8 +AddDefaultCharset utf-8 diff --git a/cookbooks/apache/templates/default/info.conf.erb b/cookbooks/apache/templates/default/info.conf.erb new file mode 100644 index 000000000..fd3fb8e6f --- /dev/null +++ b/cookbooks/apache/templates/default/info.conf.erb @@ -0,0 +1,20 @@ +# DO NOT EDIT - This file is being maintained by Chef + + + + + SetHandler server-info + Order deny,allow + Deny from all +<% node.ipaddresses do |address| -%> + Allow from <%= address %> +<% end -%> + Allow from 127.0.1.1 + Allow from 127.0.0.1 + Allow from ::1 +<% @hosts.each do |host| -%> + Allow from <%= host %> +<% end -%> + + + diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb new file mode 100644 index 000000000..9e91555c0 --- /dev/null +++ b/cookbooks/apache/templates/default/ssl.erb @@ -0,0 +1,8 @@ +# DO NOT EDIT - This file is being maintained by Chef + +SSLHonorCipherOrder On +SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM + +SSLCertificateFile /etc/ssl/certs/openstreetmap.pem +SSLCertificateKeyFile /etc/ssl/private/openstreetmap.key +SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem diff --git a/cookbooks/apache/templates/default/status.conf.erb b/cookbooks/apache/templates/default/status.conf.erb new file mode 100644 index 000000000..25cda1a25 --- /dev/null +++ b/cookbooks/apache/templates/default/status.conf.erb @@ -0,0 +1,26 @@ +# DO NOT EDIT - This file is being maintained by Chef + + + +ExtendedStatus On + + + SetHandler server-status + Order deny,allow + Deny from all +<% node.ipaddresses do |address| -%> + Allow from <%= address %> +<% end -%> + Allow from 127.0.1.1 + Allow from 127.0.0.1 + Allow from ::1 +<% @hosts.each do |host| -%> + Allow from <%= host %> +<% end -%> + + + + ProxyStatus On + + +