Commit 5dee2466 authored by mh's avatar mh
Browse files

many improvements - make it work on EL7

* simplify a lot of things, like
** manage settings through ini_settings and not the whole file
** remove this small classes into bigger ones
* support EL7
* support more scls and simplify their management
* also pull in the default settings into scls
* add phpmore repository
parent eaefe3a6
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule mpm_itk_module>
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
LoadModule php5_module modules/libphp5-zts.so
</IfModule>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps
# for security reasons we turn php by default off and only enable it by vhost
php_admin_flag engine off
# and we turn safe mode by default on
php_admin_flag safe_mode On
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
# setup php
class php::base {
package{'php':
ensure => present,
notify => Service['apache'],
}
file{
'php_ini_config':
path => '/etc/php.ini',
source => [
"puppet:///modules/site_php/${::fqdn}/php.ini",
"puppet:///modules/site_php/${php::cluster_node}/php.ini",
'puppet:///modules/site_php/php.ini',
"puppet:///modules/php/config/php.ini.${::architecture}",
'puppet:///modules/php/config/php.ini'
],
require => Package['php'],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
ensure => present,
require => Package['apache'],
} -> file{
'/etc/php.d/timezone.ini':
content => "date.timezone = '${php::timezone}'\n",
require => Package['php'],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
}
include ::php::suhosin
$php_settings = deep_merge($php::security_settings,deep_merge($php::settings,
$php::params::global_settings))
$defaults = {
path => '/etc/php.ini',
require => Package['php'],
notify => Service['apache'],
}
create_ini_settings($php_settings,$defaults)
package{'php-suhosin':
ensure => installed,
require => Package['php'],
}
if $php::suhosin_cryptkey {
$default_suhosin_settings = {
'suhosin.session.cryptkey' => sha1("${php::suhosin_cryptkey}_session"),
'suhosin.cookie.cryptkey' => sha1("${php::suhosin_cryptkey}_cookie"),
}
} else {
$default_suhosin_settings = {}
}
$suhosin_settings = merge(merge($php::suhosin_settings,
$php::suhosin_default_settings),
$default_suhosin_settings)
$suhosin_defaults = {
path => '/etc/php.d/suhosin.ini',
require => Package['php-suhosin'],
notify => Service['apache'],
}
create_ini_settings({'' => $suhosin_settings},$suhosin_defaults)
include ::php::extensions::common
if versioncmp($::operatingsystemmajrelease,'6') > 0 {
include ::php::extensions::pecl::opcache
} else {
include ::php::apc
}
if versioncmp($::operatingsystemmajrelease,'5') > 0 {
yum::repo{
"remi-morephp":
descr => "Copr repo for morephp owned by remi",
baseurl => "https://copr-be.cloud.fedoraproject.org/results/remi/morephp/epel-${::operatingsystemmajrelease}-\$basearch/",
gpgkey => 'https://copr-be.cloud.fedoraproject.org/results/remi/morephp/pubkey.gpg',
enabled => 1,
gpgcheck => 1,
before => Package['php'],
}
}
}
# centos specific php stuff
class php::centos inherits php::base {
file{'/etc/httpd/conf.d/php.conf':
source => [
"puppet:///modules/site_php/apache/${::operatingsystem}/${::fqdn}/php.conf",
"puppet:///modules/site_php/apache/${::operatingsystem}/php.conf",
"puppet:///modules/php/apache/${::operatingsystem}/php.conf",
],
require => [ Package['php'], Package['apache'] ],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
}
}
......@@ -6,11 +6,12 @@
# Simon Josi josi+puppet(at)puzzle.ch
# See LICENSE for the full license granted to you.
class php(
$cluster_node = '',
$timezone = 'Europe/Berlin',
) {
case $::operatingsystem {
'CentOS': { include php::centos }
default: { include php::base }
}
$settings = {},
$timezone = $php::params::timezone,
$security_settings = $php::params::security_settings,
$suhosin_settings = $php::params::suhosin_settings,
$suhosin_default_settings = $php::params::suhosin_default_settings,
$suhosin_cryptkey = $php::params::suhosin_cryptkey,
) inherits php::params {
include ::php::base
}
# fcgid on centos
class php::mod_fcgid::centos inherits php::centos {
File['/etc/httpd/conf.d/php.conf']{
ensure => absent,
class php::mod_fcgid::centos {
file{'/etc/httpd/conf.d/php.conf':
ensure => absent,
require => Package['php'],
notify => Service['apache'],
}
}
# some default params for php
class php::params(
$global_settings = {},
# following https://github.com/sektioneins/pcc
# and https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
$security_settings = {
'PHP' => {
expose_php => 'Off',
default_charset => 'UTF-8',
allow_url_fopen => 'Off',
allow_url_include => 'Off',
disable_functions => '"phpinfo, pcntl_exec, show_source"',
},
'Assertion' => {
'assert.active' => 'Off',
},
'mail function' => {
'mail.add_x_header' => 'Off',
},
},
$suhosin_default_settings = {
'suhosin.cookie.encrypt' => 'On',
'suhosin.get.disallow_ws' => 'On',
'suhosin.post.disallow_ws' => 'On',
'suhosin.disable.display_errors' => 'On',
'suhosin.executor.include.max_traversal' => '5',
'suhosin.executor.disable_emodifier' => 'On',
'session.use_strict_mode' => 'On',
},
$suhosin_cryptkey = undef,
) {
}
# some general params for scl
class php::scl::params(
$timezone = 'Europe/Berlin',
$settings = {},
$suhosin_cryptkey = undef,
$suhosin_settings = {},
) {
}
# manage an scl php54 installation
# manage an scl php55 installation
class php::scl::php54(
$timezone = 'Europe/Berlin',
) {
require ::scl::php54
file{
'/opt/rh/php54/root/etc/php.ini':
source => [
"puppet:///modules/site_php/scl_php54/${::fqdn}/php.ini",
"puppet:///modules/site_php/scl_php54/${php::cluster_node}/php.ini",
'puppet:///modules/site_php/scl_php54/php.ini',
'puppet:///modules/php/config/scl_php54/php.ini'
],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
'/opt/rh/php54/root/etc/php.d/timezone.ini':
content => "date.timezone = '${timezone}'\n",
require => Package['php'],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
}
$timezone = $php::scl::params::timezone,
$settings = $php::scl::params::settings,
$suhosin_cryptkey = $php::scl::params::suhosin_cryptkey,
$suhosin_settings = $php::scl::params::suhosin_settings,
) inherits php::scl::params {
$basedir = '/opt/rh/php54'
$etcdir = "${basedir}/root/etc"
php::scl::phpx{'54':
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
}
}
# manage an scl php55 installation
class php::scl::php55(
$timezone = 'Europe/Berlin',
) {
require ::scl::php55
file{
'/opt/rh/php55/root/etc/php.ini':
source => [
"puppet:///modules/site_php/scl_php55/${::fqdn}/php.ini",
"puppet:///modules/site_php/scl_php55/${php::cluster_node}/php.ini",
'puppet:///modules/site_php/scl_php55/php.ini',
'puppet:///modules/php/config/scl_php55/php.ini'
],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
'/opt/rh/php55/root/etc/php.d/timezone.ini':
content => "date.timezone = '${timezone}'\n",
require => Package['php'],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
$timezone = $php::scl::params::timezone,
$settings = $php::scl::params::settings,
$suhosin_cryptkey = $php::scl::params::suhosin_cryptkey,
$suhosin_settings = $php::scl::params::suhosin_settings,
) inherits php::scl::params {
$basedir = '/opt/rh/php55'
$etcdir = "${basedir}/root/etc"
php::scl::phpx{'55':
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
}
}
# manage an scl php56 installation
class php::scl::php56(
$timezone = $php::scl::params::timezone,
$settings = $php::scl::params::settings,
$suhosin_cryptkey = $php::scl::params::suhosin_cryptkey,
$suhosin_settings = $php::scl::params::suhosin_settings,
) inherits php::scl::params {
$basedir = '/opt/rh/rh-php56'
$etcdir = '/etc/opt/rh/rh-php56'
php::scl::phpx{'56':
etcdir => $etcdir,
timezone => $timezone,
settings => $settings,
suhosin_cryptkey => $suhosin_cryptkey,
suhosin_settings => $suhosin_settings,
}
}
# manage an scl phpX installation
# this should do everything you need
# for an scl installation
define php::scl::phpx(
$etcdir = "/opt/rh/php${name}/root/etc",
$timezone = 'Europe/Berlin',
$settings = {},
$suhosin_cryptkey = undef,
$suhosin_settings = {}
) {
require "::scl::php${name}"
file{
"${etcdir}/php.d/timezone.ini":
content => "date.timezone = '${timezone}'\n",
require => Class["scl::php${name}"],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
}
include ::php::params
$php_settings = deep_merge(deep_merge($php::params::security_settings,
$php::params::global_settings),$settings)
$defaults = {
path => "${etcdir}/php.ini",
require => Class["scl::php${name}"],
notify => Service['apache'],
}
create_ini_settings($php_settings,$defaults)
if $suhosin_cryptkey {
$default_suhosin_settings = {
'suhosin.session.cryptkey' => sha1("${suhosin_cryptkey}_session_${name}"),
'suhosin.cookie.cryptkey' => sha1("${suhosin_cryptkey}_cookie_${name}"),
}
} else {
$default_suhosin_settings = {}
}
$php_suhosin_settings = merge(merge($suhosin_settings,
$php::params::suhosin_default_settings),
$default_suhosin_settings)
$suhosin_defaults = {
path => "${etcdir}/php.d/suhosin.ini",
require => Class["scl::php${name}"],
notify => Service['apache'],
}
create_ini_settings({'' => $php_suhosin_settings},$suhosin_defaults)
}
# manage suhosin package
class php::suhosin {
package{'php-suhosin':
ensure => installed,
}
class php::suhosin(
) {
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment