RSS

apache2 (56) Versions 3.0.1

Installs and configures all aspects of apache2 using Debian style symlinks with helper definitions

Berkshelf
Librarian
Knife
cookbook 'apache2', '~> 3.0.1'
cookbook 'apache2', '~> 3.0.1'
knife cookbook site install apache2
knife cookbook site download apache2
README
Dependencies
Changelog
Foodcritic

apache2 Cookbook

Build Status Gitter

This cookbook provides a complete Debian/Ubuntu style Apache HTTPD configuration. Non-Debian based distributions such as Red Hat/CentOS, ArchLinux and others supported by this cookbook will have a configuration that mimics Debian/Ubuntu style as it is easier to manage with Chef.

Debian-style Apache configuration uses scripts to manage modules and sites (vhosts). The scripts are:

  • a2ensite
  • a2dissite
  • a2enmod
  • a2dismod
  • a2enconf
  • a2disconf

This cookbook ships with templates of these scripts for non Debian/Ubuntu platforms. The scripts are used in the Definitions below.

Requirements

Ohai and Chef:

  • Ohai: 0.6.12+
  • Chef: 0.10.10+

As of v1.2.0, this cookbook makes use of node['platform_family'] to simplify platform selection logic. This attribute was introduced in Ohai v0.6.12. The recipe methods were introduced in Chef v0.10.10. If you must run an older version of Chef or Ohai, use version 1.1.16 of this cookbook.

Cookbooks:

This cookbook doesn't have direct dependencies on other cookbooks, as none are needed for the default recipe or the general use cases.

Depending on your OS configuration and security policy, you may need additional recipes or cookbooks for this cookbook's recipes to converge on the node. In particular, the following Operating System settings may affect the behavior of this cookbook:

  • apt cache outdated
  • SELinux enabled
  • IPtables
  • Compile tools
  • 3rd party repositories

On Ubuntu/Debian, use Opscode's apt cookbook to ensure the package cache is updated so Chef can install packages, or consider putting apt-get in your bootstrap process or knife bootstrap template

On RHEL, SELinux is enabled by default. The selinux cookbook contains a permissive recipe that can be used to set SELinux to "Permissive" state. Otherwise, additional recipes need to be created by the user to address SELinux permissions.

The easiest but certainly not ideal way to deal with IPtables is to flush all rules. Opscode does provide an iptables cookbook but is migrating from the approach used there to a more robust solution utilizing a general "firewall" LWRP that would have an "iptables" provider. Alternately, you can use ufw, with Opscode's ufw and firewall cookbooks to set up rules. See those cookbooks' READMEs for documentation.

Build/compile tools may not be installed on the system by default. Some recipes (e.g., apache2::mod_auth_openid) build the module from source. Use Opscode's build-essential cookbook to get essential build packages installed.

On ArchLinux, if you are using the apache2::mod_auth_openid recipe, you also need the pacman cookbook for the pacman_aur LWRP. Put recipe[pacman] on the node's expanded run list (on the node or in a role). This is not an explicit dependency because it is only required for this single recipe and platform; the pacman default recipe performs pacman -Sy to keep pacman's package cache updated.

The apache2::god_monitor recipe uses a definition from the god cookbook. Include recipe[god] in the node's expanded run list to ensure that the cookbook is available to the node, and to set up god.

Platforms:

The following platforms and versions are tested and supported using test-kitchen

  • Ubuntu 12.04, 14.04
  • Debian 7.6
  • CentOS 6.5, 7.0

The following platform families are supported in the code, and are assumed to work based on the successful testing on Ubuntu and CentOS.

  • Red Hat (rhel)
  • Fedora
  • Amazon Linux

The following platforms are also supported in the code, have been tested manually but are not tested under test-kitchen.

  • SUSE/OpenSUSE
  • ArchLinux
  • FreeBSD

Notes for RHEL Family:

On Red Hat Enterprise Linux and derivatives, the EPEL repository may be necessary to install packages used in certain recipes. The apache2::default recipe, however, does not require any additional repositories. Opscode's yum-epel cookbook can be used to add the EPEL repository. See Examples for more information.

Notes for FreeBSD:

Version 2.0 has been had some basic testing against FreeBSD 10.0 using Chef 11.14.2 which has support for pkgng (CHEF-4637).

Tests

This cookbook in the source repository contains chefspec, serverspec and cucumber tests. This is an initial proof of concept that will be fleshed out with more supporting infrastructure at a future time.

Please see the CONTRIBUTING file for information on how to add tests for your contributions.

Attributes

This cookbook uses many attributes, broken up into a few different kinds.

Platform specific

In order to support the broadest number of platforms, several attributes are determined based on the node's platform. See the attributes/default.rb file for default values in the case statement at the top of the file.

  • node['apache']['package'] - Package name for Apache2
  • node['apache']['perl_pkg'] - Package name for Perl
  • node['apache']['dir'] - Location for the Apache configuration
  • node['apache']['log_dir'] - Location for Apache logs
  • node['apache']['error_log'] - Location for the default error log
  • node['apache']['access_log'] - Location for the default access log
  • node['apache']['user'] - User Apache runs as
  • node['apache']['group'] - Group Apache runs as
  • node['apache']['binary'] - Apache httpd server daemon
  • node['apache']['conf_dir'] - Location for the main config file (e.g apache2.conf or httpd.conf)
  • node['apache']['docroot_dir'] - Location for docroot
  • node['apache']['cgibin_dir'] - Location for cgi-bin
  • node['apache']['icondir'] - Location for icons
  • node['apache']['cache_dir'] - Location for cached files used by Apache itself or recipes
  • node['apache']['pid_file'] - Location of the PID file for Apache httpd
  • node['apache']['lib_dir'] - Location for shared libraries
  • node['apache']['default_site_enabled'] - Default site enabled. Default is false.
  • node['apache']['ext_status'] - if true, enables ExtendedStatus for mod_status
  • `node['apache']['locale'] - Locale to set in sysconfig or envvars and used for subprocesses and modules (like mod_dav and mod_wsgi). On debian systems Uses system-local if set to 'system', defaults to 'C'.

General settings

These are general settings used in recipes and templates. Default values are noted.

  • node['apache']['version'] - Specifing 2.4 triggers apache 2.4 support. If the platform is known during our test to install 2.4 by default, it will be set to 2.4 for you. Otherwise it falls back to 2.2. This value should be specified as a string.
  • node['apache']['listen_addresses'] - Addresses that httpd should listen on. Default is any ("*").
  • node['apache']['listen_ports'] - Ports that httpd should listen on. Default is port 80.
  • node['apache']['contact'] - Value for ServerAdmin directive. Default "ops@example.com".
  • node['apache']['timeout'] - Value for the Timeout directive. Default is 300.
  • node['apache']['keepalive'] - Value for the KeepAlive directive. Default is On.
  • node['apache']['keepaliverequests'] - Value for MaxKeepAliveRequests. Default is 100.
  • node['apache']['keepalivetimeout'] - Value for the KeepAliveTimeout directive. Default is 5.
  • node['apache']['sysconfig_additional_params'] - Additionals variables set in sysconfig file. Default is empty.
  • node['apache']['default_modules'] - Array of module names. Can take "mod_FOO" or "FOO" as names, where FOO is the apache module, e.g. "mod_status" or "status".
  • node['apache']['mpm'] - With apache.version 2.4, specifies what Multi-Processing Module to enable. Default is "prefork".

The modules listed in default_modules will be included as recipes in recipe[apache::default].

Prefork attributes

Prefork attributes are used for tuning the Apache HTTPD prefork MPM configuration.

  • node['apache']['prefork']['startservers'] - initial number of server processes to start. Default is 16.
  • node['apache']['prefork']['minspareservers'] - minimum number of spare server processes. Default 16.
  • node['apache']['prefork']['maxspareservers'] - maximum number of spare server processes. Default 32.
  • node['apache']['prefork']['serverlimit'] - upper limit on configurable server processes. Default 400.
  • node['apache']['prefork']['maxrequestworkers'] - Maximum number of connections that will be processed simultaneously
  • node['apache']['prefork']['maxconnectionsperchild'] - Maximum number of request a child process will handle. Default 10000.

Worker attributes

Worker attributes are used for tuning the Apache HTTPD worker MPM configuration.

  • node['apache']['worker']['startservers'] - Initial number of server processes to start. Default 4
  • node['apache']['worker']['serverlimit'] - Upper limit on configurable server processes. Default 16.
  • node['apache']['worker']['minsparethreads'] - Minimum number of spare worker threads. Default 64
  • node['apache']['worker']['maxsparethreads'] - Maximum number of spare worker threads. Default 192.
  • node['apache']['worker']['maxrequestworkers'] - Maximum number of simultaneous connections. Default 1024.
  • node['apache']['worker']['maxconnectionsperchild'] - Limit on the number of connections that an individual child server will handle during its life.

Event attributes

Event attributes are used for tuning the Apache HTTPD event MPM configuration.

  • node['apache']['event']['startservers'] - Initial number of child server processes created at startup. Default 4.
  • node['apache']['event']['serverlimit'] - Upper limit on configurable number of processes. Default 16.
  • node['apache']['event']['minsparethreads'] - Minimum number of spare worker threads. Default 64
  • node['apache']['event']['maxsparethreads'] - Maximum number of spare worker threads. Default 192.
  • node['apache']['event']['threadlimit'] - Upper limit on the configurable number of threads per child process. Default 192.
  • node['apache']['event']['threadsperchild'] - Number of threads created by each child process. Default 64.
  • node['apache']['event']['maxrequestworkers'] - Maximum number of connections that will be processed simultaneously.
  • node['apache']['event']['maxconnectionsperchild'] - Limit on the number of connections that an individual child server will handle during its life.

mod_auth_openid attributes

The following attributes are in the attributes/mod_auth_openid.rb file. Like all Chef attributes files, they are loaded as well, but they're logistically unrelated to the others, being specific to the mod_auth_openid recipe.

  • node['apache']['mod_auth_openid']['checksum'] - sha256sum of the tarball containing the source.
  • node['apache']['mod_auth_openid']['ref'] - Any sha, tag, or branch found from https://github.com/bmuller/mod_auth_openid
  • node['apache']['mod_auth_openid']['version'] - directory name version within the tarball
  • node['apache']['mod_auth_openid']['cache_dir'] - the cache directory is where the sqlite3 database is stored. It is separate so it can be managed as a directory resource.
  • node['apache']['mod_auth_openid']['dblocation'] - filename of the sqlite3 database used for directive AuthOpenIDDBLocation, stored in the cache_dir by default.
  • node['apache']['mod_auth_openid']['configure_flags'] - optional array of configure flags passed to the ./configure step in the compilation of the module.

mod_ssl attributes

For general information on this attributes see http://httpd.apache.org/docs/current/mod/mod_ssl.html

  • node['apache']['mod_ssl']['cipher_suite'] - sets the SSLCiphersuite value to the specified string. The default is considered "sane" but you may need to change it for your local security policy, e.g. if you have PCI-DSS requirements. Additional commentary on the original pull request.
  • node['apache']['mod_ssl']['honor_cipher_order'] - Option to prefer the server's cipher preference order. Default 'On'.
  • node['apache']['mod_ssl']['insecure_renegotiation'] - Option to enable support for insecure renegotiation. Default 'Off'.
  • node['apache']['mod_ssl']['strict_sni_vhost_check'] - Whether to allow non-SNI clients to access a name-based virtual host. Default 'Off'.
  • node['apache']['mod_ssl']['session_cache'] - Configures the OCSP stapling cache. Default shmcb:/var/run/apache2/ssl_scache
  • node['apache']['mod_ssl']['session_cache_timeout'] - Number of seconds before an SSL session expires in the Session Cache. Default 300.
  • node['apache']['mod_ssl']['compression'] - Enable compression on the SSL level. Default 'Off'.
  • node['apache']['mod_ssl']['use_stapling'] - Enable stapling of OCSP responses in the TLS handshake. Default 'Off'.
  • node['apache']['mod_ssl']['stapling_responder_timeout'] - Timeout for OCSP stapling queries. Default 5
  • node['apache']['mod_ssl']['stapling_return_responder_errors'] - Pass stapling related OCSP errors on to client. Default 'Off'
  • node['apache']['mod_ssl']['stapling_cache'] - Configures the OCSP stapling cache. Default shmcb:/var/run/ocsp(128000)
  • node['apache']['mod_ssl']['pass_phrase_dialog'] - Configures SSLPassPhraseDialog. Default builtin
  • node['apache']['mod_ssl']['mutex'] - Configures SSLMutex. Default file:/var/run/apache2/ssl_mutex
  • node['apache']['mod_ssl']['directives'] - Hash for add any custom directive.

For more information on these directives and how to best secure your site see - https://bettercrypto.org/ - https://wiki.mozilla.org/Security/Server_Side_TLS - https://www.insecure.ws/linux/apache_ssl.html - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - https://istlsfastyet.com/ - https://www.ssllabs.com/projects/best-practices/

Recipes

Most of the recipes in the cookbook are for enabling Apache modules. Where additional configuration or behavior is used, it is documented below in more detail.

The following recipes merely enable the specified module: mod_alias, mod_auth_basic, mod_auth_digest, mod_authn_file, mod_authnz_ldap, mod_authz_default, mod_authz_groupfile, mod_authz_host, mod_authz_user, mod_autoindex, mod_cgi, mod_dav_fs, mod_dav_svn, mod_deflate, mod_dir, mod_env, mod_expires, mod_headers, mod_ldap, mod_log_config, mod_mime, mod_negotiation, mod_proxy, mod_proxy_ajp, mod_proxy_balancer, mod_proxy_connect, mod_proxy_http, mod_python, mod_rewrite, mod_setenvif, mod_status, mod_wsgi, mod_xsendfile.

On RHEL Family distributions, certain modules ship with a config file with the package. The recipes here may delete those configuration files to ensure they don't conflict with the settings from the cookbook, which will use per-module configuration in /etc/httpd/mods-enabled.

default

The default recipe does a number of things to set up Apache HTTPd. It also includes a number of modules based on the attribute node['apache']['default_modules'] as recipes.

logrotate

Logrotate adds a logrotate entry for your apache2 logs. This recipe requires the logrotate cookbook; ensure that recipe[logrotate] is in the node's expanded run list.

mod_auth_cas

This recipe installs the proper package and enables the auth_cas module. It can install from source or package. Package is the default, set the attribute node['apache']['mod_auth_cas']['from_source'] to true to enable source installation. Modify the version to install by changing the attribute node['apache']['mod_auth_cas']['source_revision']. It is a version tag by default, but could be master, or another tag, or branch.

The module configuration is written out with the CASCookiePath set, otherwise an error loading the module may cause Apache to not start.

Note: This recipe does not work on EL 6 platforms unless epel-testing repository is enabled (outside the scope of this cookbook), or the package version 1.0.8.1-3.el6 or higher is otherwise available to the system due to this bug:

https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=708550

mod_auth_openid

Changed via COOK-915

This recipe compiles the module from source. In addition to build-essential, some other packages are included for installation like the GNU C++ compiler and development headers.

To use the module in your own cookbooks to authenticate systems using OpenIDs, specify an array of OpenIDs that are allowed to authenticate with the attribute node['apache']['allowed_openids']. Use the following in a vhost to protect with OpenID authentication:

AuthType OpenID require user <%= node['apache']['allowed_openids'].join(' ') %>
AuthOpenIDDBLocation <%= node['apache']['mod_auth_openid']['dblocation'] %>

Change the DBLocation with the attribute as required; this file is in a different location than previous versions, see below. It should be a sane default for most platforms, though, see attributes/mod_auth_openid.rb.

Changes from COOK-915:

  • AuthType OpenID instead of AuthOpenIDEnabled On.
  • require user instead of AuthOpenIDUserProgram.
  • A bug(?) in mod_auth_openid causes it to segfault when attempting to update the database file if the containing directory is not writable by the HTTPD process owner (e.g., www-data), even if the file is writable. In order to not interfere with other settings from the default recipe in this cookbook, the db file is moved.

mod_fastcgi

Install the fastcgi package and enable the module.

Only work on Debian/Ubuntu

mod_fcgid

Installs the fcgi package and enables the module. Requires EPEL on RHEL family.

On RHEL family, this recipe will delete the fcgid.conf and on version 6+, create the /var/run/httpd/mod_fcgid` directory, which prevents the emergency error:

[emerg] (2)No such file or directory: mod_fcgid: Can't create shared memory for size XX bytes

mod_php5

Simply installs the appropriate package on Debian, Ubuntu and ArchLinux.

On Red Hat family distributions including Fedora, the php.conf that comes with the package is removed. On RHEL platforms less than v6, the php53 package is used.

  • node['apache']['mod_php5']['install_method'] - default package can be overridden to avoid package installs.

mod_ssl

Besides installing and enabling mod_ssl, this recipe will append port 443 to the node['apache']['listen_ports'] attribute array and update the ports.conf.

god_monitor

Sets up a god monitor for Apache. External requirements are the god and runit cookbooks from Opscode. When using this recipe, include recipe[god] in the node's expanded run list to ensure the client downloads it; god depends on runit so that will also be downloaded.

Note This recipe is not tested under test-kitchen yet and is pending fix in COOK-744.

Definitions

The cookbook provides a few definitions. At some point in the future these definitions may be refactored into lightweight resources and providers as suggested by foodcritic rule FC015.

apache_config

Sets up configuration file for Apache from a template. The template should be in the same cookbook where the definition is used. This is used by the apache_conf definition and is not often used directly.

It will use a2enconf and a2disconf to control the symlinking of configuration files between conf-available and conf-enabled.

Enable or disable an Apache config file in #{node['apache']['dir']}/conf-available by calling a2enmod or a2dismod to manage the symbolic link in #{node['apache']['dir']}/conf-enabled. These config files should be created in your cookbook, and placed on the system using apache_conf

Parameters:

  • name - Name of the config enabled or disabled with the a2enconf or a2disconf scripts.
  • source - The location of a template file. The default name.erb.
  • cookbook - The cookbook in which the configuration template is located (if it is not located in the current cookbook). The default value is the current cookbook.
  • enable - Default true, which uses a2enconf to enable the config. If false, the config will be disabled with a2disconf.

Examples:

Enable the example config.

    apache_config 'example' do
      enable true
    end

Disable a module:

    apache_config 'disabled_example' do
      enable false
    end

See the recipes directory for many more examples of apache_config.

apache_conf

Writes conf files to the conf-available folder, and passes enabled values to apache_config.

This definition should generally be called over apache_config.

Parameters:

  • name - Name of the config placed and enabled or disabled with the a2enconf or a2disconf scripts.
  • enable - Default true, which uses a2enconf to enable the config. If false, the config will be disabled with a2disconf.
  • conf_path - path to put the config in if you need to override the default conf-available.

Examples:

Place and enable the example conf:

    apache_conf 'example' do
      enable true
    end

Place and disable (or never enable to begin with) the example conf:

    apache_conf 'example' do
      enable false
    end

Place the example conf, which has a different path than the default (conf-*):

    apache_conf 'example' do
      conf_path '/random/example/path'
      enable false
    end

apache_mod

Sets up configuration file for an Apache module from a template. The template should be in the same cookbook where the definition is used. This is used by the apache_module definition and is not often used directly.

This will use a template resource to write the module's configuration file in the mods-available under the Apache configuration directory (node['apache']['dir']). This is a platform-dependent location. See apache_module.

Parameters:

  • name - Name of the template. When used from the apache_module, it will use the same name as the module.

Examples:

Create #{node['apache']['dir']}/mods-available/alias.conf.

    apache_mod "alias"

apache_module

Enable or disable an Apache module in #{node['apache']['dir']}/mods-available by calling a2enmod or a2dismod to manage the symbolic link in #{node['apache']['dir']}/mods-enabled. If the module has a configuration file, a template should be created in the cookbook where the definition is used. See Examples.

Parameters:

  • name - Name of the module enabled or disabled with the a2enmod or a2dismod scripts.
  • identifier - String to identify the module for the LoadModule directive. Not typically needed, defaults to #{name}_module
  • enable - Default true, which uses a2enmod to enable the module. If false, the module will be disabled with a2dismod.
  • conf - Default false. Set to true if the module has a config file, which will use apache_mod for the file.
  • filename - specify the full name of the file, e.g.

Examples:

Enable the ssl module, which also has a configuration template in templates/default/mods/ssl.conf.erb.

    apache_module "ssl" do
      conf true
    end

Enable the php5 module, which has a different filename than the module default:

    apache_module "php5" do
      filename "libphp5.so"
    end

Disable a module:

    apache_module "disabled_module" do
      enable false
    end

See the recipes directory for many more examples of apache_module.

apache_site

Enable or disable a VirtualHost in #{node['apache']['dir']}/sites-available by calling a2ensite or a2dissite to manage the symbolic link in #{node['apache']['dir']}/sites-enabled.

The template for the site must be managed as a separate resource. To combine the template with enabling a site, see web_app.

Parameters:

  • name - Name of the site.
  • enable - Default true, which uses a2ensite to enable the site. If false, the site will be disabled with a2dissite.

web_app

Manage a template resource for a VirtualHost site, and enable it with apache_site. This is commonly done for managing web applications such as Ruby on Rails, PHP or Django, and the default behavior reflects that. However it is flexible.

This definition includes some recipes to make sure the system is configured to have Apache and some sane default modules:

  • apache2
  • apache2::mod_rewrite
  • apache2::mod_deflate
  • apache2::mod_headers

It will then configure the template (see Parameters and Examples below), and enable or disable the site per the enable parameter.

Parameters:

Current parameters used by the definition:

  • name - The name of the site. The template will be written to #{node['apache']['dir']}/sites-available/#{params['name']}.conf
  • cookbook - Optional. Cookbook where the source template is. If this is not defined, Chef will use the named template in the cookbook where the definition is used.
  • template - Default web_app.conf.erb, source template file.
  • enable - Default true. Passed to the apache_site definition.

Additional parameters can be defined when the definition is called in a recipe, see Examples.

Examples:

The recommended way to use the web_app definition is in a application specific cookbook named "my_app". The following example would look for a template named 'web_app.conf.erb' in your cookbook containing the apache httpd directives defining the VirtualHost that would serve up "my_app".

    web_app "my_app" do
       template 'web_app.conf.erb'
       server_name node['my_app']['hostname']
    end

All parameters are passed into the template. You can use whatever you like. The apache2 cookbook comes with a web_app.conf.erb template as an example. The following parameters are used in the template:

  • server_name - ServerName directive.
  • server_aliases - ServerAlias directive. Must be an array of aliases.
  • docroot - DocumentRoot directive.
  • application_name - Used in RewriteLog directive. Will be set to the name parameter.
  • directory_index - Allow overriding the default DirectoryIndex setting, optional
  • directory_options - Override Options on the docroot, for example to add parameters like Includes or Indexes, optional.
  • allow_override - Modify the AllowOverride directive on the docroot to support apps that need .htaccess to modify configuration or require authentication.

To use the default web_app, for example:

    web_app "my_site" do
      server_name node['hostname']
      server_aliases [node['fqdn'], "my-site.example.com"]
      docroot "/srv/www/my_site"
      cookbook 'apache2'
    end

The parameters specified will be used as:

  • @params[:server_name]
  • @params[:server_aliases]
  • @params[:docroot]

In the template. When you write your own, the @ is significant.

For more information about Definitions and parameters, see the Chef Wiki

Usage

Using this cookbook is relatively straightforward. Add the desired recipes to the run list of a node, or create a role. Depending on your environment, you may have multiple roles that use different recipes from this cookbook. Adjust any attributes as desired. For example, to create a basic role for web servers that provide both HTTP and HTTPS:

    % cat roles/webserver.rb
    name "webserver"
    description "Systems that serve HTTP and HTTPS"
    run_list(
      "recipe[apache2]",
      "recipe[apache2::mod_ssl]"
    )
    default_attributes(
      "apache" => {
        "listen_ports" => ["80", "443"]
      }
    )

For examples of using the definitions in your own recipes, see their respective sections above.

License and Authors

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Dependent cookbooks

logrotate >= 0.0.0
iptables >= 0.0.0

Contingent cookbooks

abiquo Applicable Versions
aem Applicable Versions
apache Applicable Versions
apache2-git-site Applicable Versions
apache2-global-customlog Applicable Versions
apache2_odin_auth Applicable Versions
apache_vhosts Applicable Versions
application Applicable Versions
application_php Applicable Versions
application_ruby Applicable Versions
application_zf Applicable Versions
applications Applicable Versions
artifactory Applicable Versions
asgard Applicable Versions
awstats Applicable Versions
backuppc-server Applicable Versions
bamboo Applicable Versions
bigdesk Applicable Versions
boilerplate Applicable Versions
boilerplate_php Applicable Versions
bootstrap Applicable Versions
boxbilling Applicable Versions
bricks Applicable Versions
cacti Applicable Versions
cakephp Applicable Versions
celery-flower Applicable Versions
ceph Applicable Versions
chef Applicable Versions
chef-server Applicable Versions
chef-server-webapp Applicable Versions
cobbler Applicable Versions
confluence Applicable Versions
crowd Applicable Versions
django Applicable Versions
drupal Applicable Versions
drupalbaseplus Applicable Versions
dse-chef Applicable Versions
dvwa Applicable Versions
elasticsearch-head Applicable Versions
elefant Applicable Versions
eulipion-slate Applicable Versions
gallery Applicable Versions
gemirro Applicable Versions
gems Applicable Versions
gerrit Applicable Versions
git Applicable Versions
gotcms Applicable Versions
graphene Applicable Versions
graphite Applicable Versions
graylog2 Applicable Versions
gruyere Applicable Versions
hello_world_circleci_deploy_example Applicable Versions
icinga Applicable Versions
icinga-ng Applicable Versions
icinga2 Applicable Versions
infochimps_graphite Applicable Versions
instiki Applicable Versions
jekyll Applicable Versions
jenkins Applicable Versions
jira Applicable Versions
kibana Applicable Versions
kibana_lwrp Applicable Versions
kickstart Applicable Versions
lamp_role Applicable Versions
laravel Applicable Versions
logstash Applicable Versions
magento Applicable Versions
mailman Applicable Versions
mater Applicable Versions
mediawiki Applicable Versions
mod_security Applicable Versions
mruby Applicable Versions
munin Applicable Versions
myface Applicable Versions
nagios Applicable Versions
nagios3 Applicable Versions
naglite2 Applicable Versions
newrelic Applicable Versions
nginx-proxy Applicable Versions
nginx_fallback_to_apache Applicable Versions
nodestack Applicable Versions
noosfero Applicable Versions
owncloud Applicable Versions
pagekit Applicable Versions
passenger_apache2 Applicable Versions
passenger_enterprise Applicable Versions
php Applicable Versions
phpbb Applicable Versions
phpldapadmin Applicable Versions
phpstack Applicable Versions
pnp4nagios Applicable Versions
postfixadmin Applicable Versions
poweradmin Applicable Versions
prestashop Applicable Versions
pxe Applicable Versions
pxe_dust Applicable Versions
pypi-mirror Applicable Versions
pythonstack Applicable Versions
rackspace_apache_php Applicable Versions
radiant Applicable Versions
rails Applicable Versions
redmine Applicable Versions
repository Applicable Versions
reprepro Applicable Versions
request_tracker Applicable Versions
rundeck Applicable Versions
smokeping Applicable Versions
sogo Applicable Versions
sptoolkit Applicable Versions
stack_commons Applicable Versions
stash Applicable Versions
staticip Applicable Versions
subversion Applicable Versions
sugar_crm Applicable Versions
sugarcrm Applicable Versions
sugarcrm-ce Applicable Versions
sugarcrm_ce Applicable Versions
suhosin Applicable Versions
teampass Applicable Versions
testswarm Applicable Versions
thruk Applicable Versions
tomcat-openam Applicable Versions
tonicdns Applicable Versions
toran Applicable Versions
trac Applicable Versions
vicnum Applicable Versions
virtual_hosts Applicable Versions
virtualbox Applicable Versions
webobjects Applicable Versions
wordpress Applicable Versions
yumrepo_server Applicable Versions
zabbix Applicable Versions
zarafa Applicable Versions
zf2 Applicable Versions

apache2 Cookbook Changelog

This file is used to list changes made in each version of the apache2 cookbook.

v3.0.1 (2015-02-11)

  • [GH-310] Ubuntu Apache 2.2 requires the lock_dir to be owned by www-data
  • [GH-307] Clarify that apache.version is a string
  • [GH-305] Restart service after MPM changes
  • [GH-304] Don't install systemd module on Amazon Linux
  • [GH-298] Add non-threaded MPM break notice for PHP users
  • [GH-296] Create lock_dir automatically

v3.0.0 (2014-11-30)

Major version update because of SSL Improvements and new platform MPM and Version defaults.

  • [GH-286] Refactor MPM and Apache version defaults: default is now apache 2.4
  • Note: set apache.mpm to prefork if you are using mod_php in Ubuntu >=14.04
  • [GH-281] mod_ssl: Disable SSLv3 by default to protect against POODLE attack (CVE-2014-3566)
  • [GH-280] mod_ssl: Major update with modern Cipher Suite, and best practices. Updated to a more modern default apache.mod_ssl.cipher_suite. Added the following additional mod_ssl attributes
    • apache.mod_ssl.honor_cipher_order
    • apache.mod_ssl.insecure_renegotiation
    • apache.mod_ssl.strict_sni_vhost_check
    • apache.mod_ssl.session_cache_timeout
    • apache.mod_ssl.compression
    • apache.mod_ssl.use_stapling
    • apache.mod_ssl.stapling_responder_timeout
    • apache.mod_ssl.stapling_return_responder_errors
    • apache.mod_ssl.stapling_cache
    • apache.mod_ssl.pass_phrase_dialog
    • apache.mod_ssl.mutex
    • apache.mod_ssl.directives
  • [GH-278] Improved chefspec tests execution time
  • [GH-277] Optimize files watching for Guard on Win32 platform
  • [GH-270] Don't attempt start until after configuration is written
  • [GH-268] Now uses chefspec 4.1
  • [GH-267] Use Supermarket as the Berkshelf 3 source
  • [GH-266] Rubocop based ruby style/syntax improvements
  • [GH-264] mod_ssl: Add new attribute for to be ready to any custom directive
  • [GH-249] Don't prepend Apache log path when requesting error logging to syslog
  • [GH-247] Explicitly include mod_ldap before mod_authnz_ldap
  • [GH-243] Expand mpm options for different distros/versions.
  • [GH-239] Added apache.mod_php5.install_method attribute defaults to package. Install packages unless PHP is compiled from source.
  • OneHealth Solutions was acquired by Viverae
  • Remove ArchLinux pacman as a dependency and handle similar to apt, yum, zypper
  • Adjust ubuntu apache 2.4 docroot_dir to match package (from /var/www to /var/www/html)
  • [GH-238] Bump service config syntax check guard timeout to 10 seconds
  • [GH-235] Removed apache2::mpm_itk which is not part of core and therefore should be its own cookbook
  • [GH-234] /var/run/httpd/mod_fcgid directory now belongs to apache on Fedora/RHEL systems.
  • [GH-233] Default web_app template should return 503 status code when maintenance file is present
  • [GH-232] Cookbook now deletes a2* if they are symlinks before dropping template versions
  • [GH-222] Set TraceEnable to off by default.
  • [GH-213] Adjust chefspec to use the package resource on FreeBSD (previously freebsd_package)
  • [GH-212] New attribute apache.locale which sets LANG. defaults to 'C'
  • [GH-210] Clarify web_app definition usage around configuration templates.
  • [GH-208] apache_conf now accepts source and cookbook parameters.

v2.0.0 (2014-08-06)

Major version update because of major overhaul to support Apache 2.4 and a2enconf and a2endisconf changes.

  • [GH-204] mod_auth_openid: Added apache.mod_auth_openid.version attribute
  • FreeBSD support has been improved with the release of chef 11.14.2, portsnap is no longer used in favor of pkgng.
  • [GH-157] - Apache will only be started when a configuration test passes, this allows the chef run to fix any broken configuration without failing the chef run.
  • apache.log_dir directory is now 0755 on all platforms (including the debian platform family)
  • [GH-166, GH-173] - conf.d is no longer used and replaced by conf-available and conf-enabled managed via the a2enconf and a2disconf scripts
  • [GH-166, GH-173] - All configuration files need to end in .conf for them to be loaded
  • [GH-173] - Perl is a required package on all platforms to support the a2* scripts as we now use the debian versions directly.
  • [GH-193] - per MPM settings: maxclients is now maxrequestworkers
  • [GH-194] - per MPM settings: maxrequestsperchild is now maxconnectionsperchild
  • [GH-161] - Added support for CentOS 7
  • [GH-180] - Improved SuSE support
  • [GH-100] - Apache HTTP 2.4 support This provides Apache 2.4 support in a backwards compatible way. It adds the following new attributes:
    • apache.version - This defaults to 2.2 and if changed to 2.4; it triggers and assumes 2.4 packages will be installed.
    • apache.mpm - In 2.4 mode, this specifies which mpm to install. Default is prefork.
    • apache.run_dir
    • apache.lock_dir
    • apache.libexec_dir replaces apache.libexecdir
    • apache.prefork.maxrequestworkers replaces apache.prefork.maxclients
    • apache.prefork.maxconnectionsperchild replaces apache.prefork.maxrequestsperchild
    • apache.worker.threadlimit
    • apache.worker.maxrequestworkers replaces apache.worker.maxclients
    • apache.worker.maxconnectionsperchildreplaces apache.worker.maxrequestsperchild
    • apache.event.startservers
    • apache.event.serverlimit
    • apache.event.minsparethreads
    • apache.event.maxsparethreads
    • apache.event.threadlimit
    • apache.event.threadsperchild
    • apache.event.maxrequestworkers
    • apache.event.maxconnectionsperchild
    • apache.itk.startservers
    • apache.itk.minspareservers
    • apache.itk.maxspareservers
    • apache.itk.maxrequestworkers
    • apache.itk.maxconnectionsperchild

Apache 2.4 Upgrade Notes:

Since the changes between apache 2.2 and apache 2.4 are pretty significant, we are unable to account for all changes needed for your upgrade. Please take a moment to familiarize yourself with the Apache Software Foundation provided upgrade documentation before attempting to use this cookbook with apache 2.4. See http://httpd.apache.org/docs/current/upgrading.html

  • This cookbook does not automatically specify which version of apache to install. We are at the mercy of the package provider. It is important, however, to make sure that you configure the apache.version attribute to match. For your convenience, we try to set reasonable defaults based on different platforms in our test suite.
  • mod_proxy - In 2.4 mode, apache.proxy.order, apache.proxy.deny_from, apache.proxy.allow_from are ignored, as the attributes can not be supported in a backwards compatible way. Please use apache.proxy.require instead.

v1.11.0 (2014-07-25)

  • [GH-152] - Checking if server_aliases is defined in example
  • [GH-106] - Only turn rewrite on once in web_app.conf.erb
  • [GH-156] - Correct mod_basic/digest recipe names in README
  • Recipe iptables now includes the iptables::default recipe
  • Upgrade test-kitchen to latest version
  • Replaced minitest integration tests with serverspec tests
  • Added chefspec tests

v1.10.4 (2014-04-23)

  • [COOK-4249] mod_proxy_http requires mod_proxy

v1.10.2 (2014-04-09)

  • [COOK-4490] - Fix minitest apache_configured_ports helper
  • [COOK-4491] - Fix minitest: escape regex interpolation
  • [COOK-4492] - Fix service[apache2] CHEF-3694 duplication
  • [COOK-4493] - Fix template[ports.conf] CHEF-3694 duplication

As of 2014-04-04 and per Community Cookbook Diversification this cookbook now maintained by OneHealth Solutions. Please be patient as we get into the swing of things.

v1.10.0 (2014-03-28)

  • [COOK-3990] - Fix minitest failures on EL5
  • [COOK-4416] - Support the ability to point to local apache configs
  • [COOK-4469] - Use reload instead of restart on RHEL

v1.9.6 (2014-02-28)

[COOK-4391] - uncommenting the PIDFILE line

v1.9.4 (2014-02-27)

Bumping version for toolchain

v1.9.1 (2014-02-27)

[COOK-4348] Allow arbitrary params in sysconfig

v1.9.0 (2014-02-21)

Improvement

  • COOK-4076 - foodcritic: dependencies are not defined properly
  • COOK-2572 - Add mod_pagespeed recipe to apache2

Bug

  • COOK-4043 - apache2 cookbook does not depend on 'iptables'
  • COOK-3919 - Move the default pidfile for apache2 on Ubuntu 13.10 or greater
  • COOK-3863 - Add recipe for mod_jk
  • COOK-3804 - Fix incorrect datatype for apache/default_modules, use recipes option in metadata
  • COOK-3800 - Cannot load modules that use non-standard module identifiers
  • COOK-1689 - The perl package name should be configurable

v1.8.14

Version bump for toolchain sanity

v1.8.12

Fixing various style issues for travis

v1.8.10

fixing metadata version error. locking to 3.0"

v1.8.8

Version bump for toolchain sanity

v1.8.6

Locking yum dependency to '< 3'

v1.8.4

Bug

  • COOK-3769 - Fix a critical bug where the apache_module could not enable modules

v1.8.2

Bug

  • COOK-3766 - Fix an issue where the mod_ssl recipe fails due to a missing attribute

v1.8.0

Bug

  • COOK-3680 - Update template paths
  • COOK-3570 - Apache cookbook breaks on RHEL / CentOS 6
  • COOK-2944 - Fix foodcritic failures
  • COOK-2893 - Improve mod_auth_openid recipe with guards and idempotency
  • COOK-2758 - Fix use of non-existent attribute

New Feature

Improvement

  • COOK-3656 - Parameterize apache2 binary
  • COOK-3562 - Allow mod_proxy settings to be configured as attributes
  • COOK-3326 - Fix default_test to use ServerTokens attribute
  • COOK-2635 - Add support for SVG mime types
  • COOK-2598 - FastCGI Module only works on Debian-based platforms
  • COOK-1984 - Add option to configure the address apache listens to

v1.7.0

Improvement

  • [COOK-3073]: make access.log location configurable per-platform
  • [COOK-3074]: don't hardcode the error.log location in the default site config
  • [COOK-3268]: don't hardcode DocumentRoot and cgi-bin locations in default_site

New Feature

  • [COOK-3184]: Add mod_filter recipe to Apache2-cookbook
  • [COOK-3236]: Add mod_action recipe to Apache2-cookbook

v1.6.6

1.6.4 had a missed step in the automated release, long live 1.6.6.

Bug

  • [COOK-3018]: apache2_module does duplicate delayed restart of apache2 service when conf = true
  • [COOK-3027]: Default site enable true, then false, does not disable default site
  • [COOK-3109]: fix apache lib_dir arch attribute regexp

v1.6.2

  • [COOK-2535] - mod_auth_openid requires libtool to run autogen.sh
  • [COOK-2667] - Typo in usage documentation
  • [COOK-2461] - apache2::mod_auth_openid fails on some ubuntu systems
  • [COOK-2720] - Apache2 minitest helper function ran_recipe is not portable

v1.6.0

  • [COOK-2372] - apache2 mpm_worker: add ServerLimit attribute (default to 16)

v1.5.0

The mod_auth_openid attributes are changed. The upstream maintainer deprecated the older release versions, and the source repository has releases available at specific SHA1SUM references. The new attribute, node['apache']['mod_auth_openid']['ref'] is used to set this.

  • [COOK-2198] - apache::mod_auth_openid compiles from source, but does not install make on debian/ubuntu
  • [COOK-2224] - version conflict between cucumber and other gems
  • [COOK-2248] - apache2::mod_php5 uses not_if "which php" without ensuring package 'which' is installed
  • [COOK-2269] - Set allow list for mod_status incase external monitor scripts need
  • [COOK-2276] - cookbook apache2 documentation regarding listening ports doesn't match default attributes
  • [COOK-2296] - mod_auth_openid doesn't have tags/releases for the version I need for features and fixes
  • [COOK-2323] - Add Oracle linux support

v1.4.2

  • [COOK-1721] - fix logrotate recipe

v1.4.0

  • [COOK-1456] - iptables enhancements
  • [COOK-1473] - apache2 does not disable default site when setting "default_site_enabled" back to false
  • [COOK-1824] - the apache2 cookbook needs to specify which binary is used on rhel platform
  • [COOK-1916] - Download location wrong for apache2 mod_auth_openid >= 0.7
  • [COOK-1917] - Improve mod_auth_openid recipe to handle module upgrade more gracefully
  • [COOK-2029] - apache2 restarts on every run on RHEL and friends, generate-module-list on every run.
  • [COOK-2036] - apache2: Cookbook style

v1.3.2

  • [COOK-1804] - fix web_app definition parameter so site can be disabled.

v1.3.0

  • [COOK-1738] - Better configuration for mod_include and some overrides in web_app definition
  • [COOK-1470] - Change SSL Ciphers to Mitigate BEAST attack

v1.2.0

  • [COOK-692] - delete package conf.d files in module recipes, for EL
  • [COOK-1693] - Foodcritic finding for unnecessary string interpolation
  • [COOK-1757] - platform_family and better style / usage practices

v1.1.16

re-releasing as .16 due to error on tag 1.1.14

  • [COOK-1466] - add mod_auth_cas recipe
  • [COOK-1609] - apache2 changes ports.conf twice per run when using apache2::mod_ssl

v1.1.12

  • [COOK-1436] - restore apache2 web_app definition
  • [COOK-1356] - allow ExtendedStatus via attribute
  • [COOK-1403] - add mod_fastcgi recipe

v1.1.10

  • [COOK-1315] - allow the default site to not be enabled
  • [COOK-1328] - cookbook tests (minitest, cucumber)

v1.1.8

  • Some platforms with minimal installations that don't have perl won't have a node['languages']['perl'] attribute, so remove the conditional and rely on the power of idempotence in the package resource.
  • [COOK-1214] - address foodcritic warnings
  • [COOK-1180] - add mod_logio and fix mod_proxy

v1.1.6

FreeBSD users: This release requires the freebsd cookbook. See README.md.

  • [COOK-1025] - freebsd support in mod_php5 recipe

v1.1.4

  • [COOK-1100] - support amazon linux

v1.1.2

  • [COOK-996] - apache2::mod_php5 can cause PHP and module API mismatches
  • [COOK-1083] - return string for v_f_p and use correct value for default

v1.1.0

  • [COOK-861] - Add mod_perl and apreq2
  • [COOK-941] - fix mod_auth_openid on FreeBSD
  • [COOK-1021] - add a commented-out LoadModule directive to keep apxs happy
  • [COOK-1022] - consistency for icondir attribute
  • [COOK-1023] - fix platform test for attributes
  • [COOK-1024] - fix a2enmod script so it runs cleanly on !bash
  • [COOK-1026] - fix error_log location on FreeBSD

v1.0.8

  • COOK-548 - directory resource doesn't have backup parameter

v1.0.6

  • COOK-915 - update to mod_auth_openid version 0.6, see Recipes/mod_auth_openid below.
  • COOK-548 - Add support for FreeBSD.

v1.0.4

  • COOK-859 - don't hardcode module paths

v1.0.2

  • Tickets resolved in this release: COOK-788, COOK-782, COOK-780

v1.0.0

  • Red Hat family support is greatly improved, all recipes except god_monitor converge.
  • Recipe mod_auth_openid now works on RHEL family distros
  • Recipe mod_php5 will now remove config from package on RHEL family so it doesn't conflict with the cookbook's.
  • Added php5.conf.erb template for mod_php5 recipe.
  • Create the run state directory for mod_fcgid to prevent a startup error on RHEL version 6.
  • New attribute node['apache']['lib_dir'] to handle lib vs lib64 on RHEL family distributions.
  • New attribute node['apache']['group'].
  • Scientific Linux support added.
  • Use a file resource instead of the generate-module-list executed perl script on RHEL family.
  • "default" site can now be disabled.
  • web_app now has an "enable" parameter.
  • Support for dav_fs apache module.
  • Tickets resolved in this release: COOK-754, COOK-753, COOK-665, COOK-624, COOK-579, COOK-519, COOK-518
  • Fix node references in template for a2dissite
  • Use proper user and group attributes on files and templates.
  • Replace the anemic README.rdoc with this new and improved superpowered README.md :).
FC015: Consider converting definition to a LWRP: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/apache_conf.rb:1
FC015: Consider converting definition to a LWRP: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/apache_config.rb:1
FC015: Consider converting definition to a LWRP: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/apache_mod.rb:1
FC015: Consider converting definition to a LWRP: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/apache_module.rb:1
FC015: Consider converting definition to a LWRP: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/apache_site.rb:1
FC015: Consider converting definition to a LWRP: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/web_app.rb:1
FC023: Prefer conditional attributes: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/definitions/apache_conf.rb:38
FC031: Cookbook without metadata file: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/metadata.rb:1
FC045: Consider setting cookbook name in metadata: /tmp/cook/de3865f614d89b8b4c13f9ef/apache2/metadata.rb:1