Project

General

Profile

« Previous | Next » 

Revision f56a3067

Added by Alexis Mousset over 7 years ago

Fixes #9889: Remove common conf between relay and webapp from webapp package

View differences:

rudder-server-relay/SOURCES/rudder-apache-relay-common.conf
DocumentRoot /var/www
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# Expose the server UUID through http
Alias /uuid /opt/rudder/etc/uuid.hive
<Directory /opt/rudder/etc>
<IfVersion < 2.4>
Order deny,allow
Allow From all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
# WebDAV share to receive inventories
Alias /inventories /var/rudder/inventories/incoming
<Directory /var/rudder/inventories/incoming>
DAV on
AuthName "WebDAV Storage"
AuthType Basic
AuthUserFile /opt/rudder/etc/htpasswd-webdav-initial
Require valid-user
# rudder-networks.conf / rudder-networks-24.conf is automatically
# generated according to the hosts allowed by rudder.
<IfVersion < 2.4>
Order allow,deny
Include /opt/rudder/etc/rudder-networks.conf
</IfVersion>
<IfVersion >= 2.4>
Include /opt/rudder/etc/rudder-networks-24.conf
</IfVersion>
<LimitExcept PUT>
<IfVersion < 2.4>
Order deny,allow
Deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
</LimitExcept>
</Directory>
# WebDAV share to receive inventories
Alias /inventory-updates /var/rudder/inventories/accepted-nodes-updates
<Directory /var/rudder/inventories/accepted-nodes-updates>
DAV on
AuthName "WebDAV Storage"
AuthType Basic
AuthUserFile /opt/rudder/etc/htpasswd-webdav
Require valid-user
# rudder-networks.conf / rudder-networks-24.conf is automatically
# generated according to the hosts allowed by rudder.
<IfVersion < 2.4>
Order allow,deny
Include /opt/rudder/etc/rudder-networks.conf
</IfVersion>
<IfVersion >= 2.4>
Include /opt/rudder/etc/rudder-networks-24.conf
</IfVersion>
<LimitExcept PUT>
<IfVersion < 2.4>
Order deny,allow
Deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
</LimitExcept>
</Directory>
rudder-server-relay/SOURCES/rudder-relay-apache-common.conf
DocumentRoot /var/www
# Expose the server UUID through http
Alias /uuid /opt/rudder/etc/uuid.hive
<Directory /opt/rudder/etc>
<IfVersion < 2.4>
Order deny,allow
Allow From all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
# WebDAV share to receive inventories
Alias /inventories /var/rudder/inventories/incoming
<Directory /var/rudder/inventories/incoming>
DAV on
AuthName "WebDAV Storage"
AuthType Basic
AuthUserFile /opt/rudder/etc/htpasswd-webdav-initial
Require valid-user
# rudder-networks.conf / rudder-networks-24.conf is automatically
# generated according to the hosts allowed by rudder.
<IfVersion < 2.4>
Order allow,deny
Include /opt/rudder/etc/rudder-networks.conf
</IfVersion>
<IfVersion >= 2.4>
Include /opt/rudder/etc/rudder-networks-24.conf
</IfVersion>
<LimitExcept PUT>
Require all denied
</LimitExcept>
</Directory>
# WebDAV share to receive inventories
Alias /inventory-updates /var/rudder/inventories/accepted-nodes-updates
<Directory /var/rudder/inventories/accepted-nodes-updates>
DAV on
AuthName "WebDAV Storage"
AuthType Basic
AuthUserFile /opt/rudder/etc/htpasswd-webdav
Require valid-user
# rudder-networks.conf / rudder-networks-24.conf is automatically
# generated according to the hosts allowed by rudder.
<IfVersion < 2.4>
Order allow,deny
Include /opt/rudder/etc/rudder-networks.conf
</IfVersion>
<IfVersion >= 2.4>
Include /opt/rudder/etc/rudder-networks-24.conf
</IfVersion>
<LimitExcept PUT>
Require all denied
</LimitExcept>
</Directory>
rudder-server-relay/SOURCES/rudder-relay-vhost-ssl.conf
<VirtualHost *:443>
ServerAdmin webmaster@localhost
# Include Rudder common vhost definitions
Include /opt/rudder/etc/rudder-relay-apache-common.conf
# Logs
ErrorLog /var/log/rudder/apache2/error.log
LogLevel warn
CustomLog /var/log/rudder/apache2/access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /opt/rudder/etc/ssl/rudder-relay.crt
SSLCertificateKeyFile /opt/rudder/etc/ssl/rudder-relay.key
</VirtualHost>
rudder-server-relay/SOURCES/rudder-relay-vhost.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
# Include Rudder common vhost definitions
Include /opt/rudder/etc/rudder-relay-apache-common.conf
# Logs
LogLevel warn
CustomLog /var/log/rudder/apache2/access.log combined
ErrorLog /var/log/rudder/apache2/error.log
</VirtualHost>
rudder-server-relay/SOURCES/rudder-vhost.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
# Logs
LogLevel warn
CustomLog /var/log/rudder/apache2/access.log combined
ErrorLog /var/log/rudder/apache2/error.log
# Include Rudder common vhost definitions
Include /opt/rudder/etc/rudder-apache-*-common.conf
Include /opt/rudder/etc/rudder-apache-*-nossl.conf
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
# Logs
LogLevel warn
CustomLog /var/log/rudder/apache2/access.log combined
ErrorLog /var/log/rudder/apache2/error.log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /opt/rudder/etc/ssl/rudder.crt
SSLCertificateKeyFile /opt/rudder/etc/ssl/rudder.key
# Include Rudder common vhost definitions
Include /opt/rudder/etc/rudder-apache-*-common.conf
Include /opt/rudder/etc/rudder-apache-*-ssl.conf
</VirtualHost>
rudder-server-relay/SPECS/rudder-server-relay.spec
Group: Applications/System
Source1: rudder-relay-vhost.conf
Source1: rudder-vhost.conf
Source2: rudder-networks.conf
Source3: rudder-networks-24.conf
Source4: rudder-relay-vhost-ssl.conf
Source5: rudder-relay-apache-common.conf
Source5: rudder-apache-relay-common.conf
Source6: rudder-relay-apache
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
......
## General
BuildRequires: python, python-devel
Requires: rudder-agent, rsyslog, openssl, %{apache}, %{apache_tools}, python
Requires: rudder-agent >= %{real_epoch}:%{real_version}, rsyslog, openssl, %{apache}, %{apache_tools}, python
## RHEL
%if 0%{?rhel}
......
install -m 644 %{_sourcedir}/relay-api/apache/relay-api.conf %{buildroot}/etc/%{apache_vhost_dir}/relay-api.conf
# Others
install -m 644 %{SOURCE1} %{buildroot}/etc/%{apache_vhost_dir}/rudder-relay-vhost.conf
install -m 644 %{SOURCE4} %{buildroot}/etc/%{apache_vhost_dir}/rudder-relay-vhost-ssl.conf
install -m 644 %{SOURCE5} %{buildroot}%{rudderdir}/etc/rudder-relay-apache-common.conf
install -m 644 %{SOURCE1} %{buildroot}/etc/%{apache_vhost_dir}/rudder.conf
install -m 644 %{SOURCE5} %{buildroot}%{rudderdir}/etc/rudder-apache-relay-common.conf
install -m 644 %{SOURCE6} %{buildroot}/etc/sysconfig/rudder-relay-apache
# Copy stub rudder-networks*.conf
......
service %{apache} stop > /dev/null && echo " Done"
%endif
%if 0%{?rhel} >= 7
/bin/systemctl stop %{apache}.service && echo " Done"
/bin/systemctl stop %{apache}.service && echo " Done"
%endif
%if 0%{?suse_version}
......
# Do this ONLY at first install
if [ $1 -eq 1 ]; then
echo -e '# This sources the configuration file needed by Rudder\n. /etc/sysconfig/rudder-relay-apache' >> /etc/sysconfig/apache2
echo 'DAVLockDB /tmp/davlock.db' > /etc/%{apache}/conf.d/dav_mod.conf
fi
# Add required includes in the SLES apache2 configuration
%if 0%{?suse_version}
# Add required includes in the apache2 configuration
if ! grep -qE "^. /etc/sysconfig/rudder-relay-apache$" /etc/sysconfig/apache2; then
echo -e '#¬This sources the modules/defines needed by Rudder\n. /etc/sysconfig/rudder-relay-apache' >> /etc/sysconfig/apache2
echo -e '# This sources the modules/defines needed by Rudder\n. /etc/sysconfig/rudder-relay-apache' >> /etc/sysconfig/apache2
fi
%endif
# Remove old includes in the SLES apache2 configuration
if [ -f /etc/sysconfig/apache2 ]; then
if grep -qE "^. /etc/sysconfig/rudder-apache$" /etc/sysconfig/apache2; then
sed -i "/. \/etc\/sysconfig\/rudder-apache/d" /etc/sysconfig/apache2
fi
fi
# On SLES, change the Apache DocumentRoot to the OS default
sed -i "s%^DocumentRoot /var/www$%DocumentRoot /srv/www%" %{buildroot}%{rudderdir}/etc/rudder-apache-relay-common.conf
%endif
# Create inventory repositories and add rights to the apache user to
# access /var/rudder/inventories/incoming
......
%{htpasswd_cmd} -bc ${passwdfile} rudder rudder >/dev/null 2>&1
done
# Generate the SSL certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder-relay.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder-relay.key ]; then
# Migrate existing certificates
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
for source in relay webapp; do
if [ -f /opt/rudder/etc/ssl/rudder-${source}.crt ] && [ -f /opt/rudder/etc/ssl/rudder-${source}.key ]; then
echo -n "INFO: Importing existing ${source} certificates..."
mv /opt/rudder/etc/ssl/rudder-${source}.crt /opt/rudder/etc/ssl/rudder.crt
mv /opt/rudder/etc/ssl/rudder-${source}.key /opt/rudder/etc/ssl/rudder.key
echo " Done"
fi
done
fi
# Generate certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
echo -n "INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically..."
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-relay.key -out /opt/rudder/etc/ssl/rudder-relay.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
chgrp %{apache_group} /opt/rudder/etc/ssl/rudder-relay.key && chmod 640 /opt/rudder/etc/ssl/rudder-relay.key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
chgrp %{apache_group} /opt/rudder/etc/ssl/rudder.key && chmod 640 /opt/rudder/etc/ssl/rudder.key
echo " Done"
fi
# Move old virtual hosts out of the way
for OLD_VHOST in rudder-default rudder-default-ssl rudder-default.conf rudder-default-ssl.conf rudder-vhost.conf rudder-vhost-ssl.conf rudder-relay-vhost.conf rudder-relay-vhost-ssl.conf; do
if [ -f /etc/%{apache_vhost_dir}/${OLD_VHOST} ]; then
echo -n "INFO: An old rudder virtual host file has been detected (${OLD_VHOST}), it will be moved to /var/backups."
mkdir -p /var/backups
mv /etc/%{apache_vhost_dir}/${OLD_VHOST} /var/backups/${OLD_VHOST}-$(date +%s)
echo " Done"
fi
done
echo -n "INFO: Starting Apache HTTPd..."
%if 0%{?rhel} < 7
service %{apache} start > /dev/null && echo " Done"
......
/bin/systemctl start %{apache}.service && echo " Done"
%endif
# Do this ONLY at first install
if [ $1 -eq 1 ]
then
......
echo "*****************************************************************************************"
echo "INFO: rudder-server-relay setup complete. "
echo "INFO: "
echo "INFO: Now run '/opt/rudder/bin/rudder-node-to-relay $(cat %{rudderdir}/etc/uuid.hive)' "
echo "INFO: on your root server to complete this node transition to a relay server. "
echo "INFO: "
echo "INFO: Please look at the documentation for details (Section 'Relay servers') "
echo "INFO: * If you are installing a root server, configuration is automatically done "
echo "INFO: * If you are installing a simple relay, run: "
echo "INFO: '/opt/rudder/bin/rudder-node-to-relay $(cat /opt/rudder/etc/uuid.hive)' "
echo "INFO: on your root server to complete this node transition to a relay server. "
echo "INFO: Please look at the documentation for details (Section 'Relay servers') "
echo "*****************************************************************************************"
fi
......
%defattr(-, root, root, 0755)
%{rudderdir}/etc/
/etc/%{apache_vhost_dir}/
%config(noreplace) /etc/%{apache_vhost_dir}/rudder-relay-vhost.conf
%config(noreplace) /etc/%{apache_vhost_dir}/rudder-relay-vhost-ssl.conf
%config(noreplace) %{rudderdir}/etc/rudder-relay-apache-common.conf
%config(noreplace) /etc/%{apache_vhost_dir}/rudder-vhost.conf
%config(noreplace) %{rudderdir}/etc/rudder-relay-apache-relay-common.conf
%config(noreplace) %{rudderdir}/etc/rudder-networks.conf
%config(noreplace) %{rudderdir}/etc/rudder-networks-24.conf
%config(noreplace) /etc/sysconfig/rudder-relay-apache
rudder-server-relay/debian/conffiles
/etc/apache2/sites-available/rudder-relay-vhost
/etc/apache2/sites-available/rudder-relay-vhost-ssl
/opt/rudder/etc/rudder-relay-apache-common.conf
/etc/apache2/sites-available/rudder.conf
/opt/rudder/etc/rudder-apache-relay-common.conf
/opt/rudder/etc/rudder-networks.conf
/opt/rudder/etc/rudder-networks-24.conf
rudder-server-relay/debian/control
Package: rudder-server-relay
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, python, rudder-agent, apache2, apache2-utils, rsyslog, openssl, libapache2-mod-wsgi
Depends: ${shlibs:Depends}, ${misc:Depends}, python, rudder-agent (>= ${binary:Version}), apache2, apache2-utils, rsyslog, openssl, libapache2-mod-wsgi
Description: Configuration management and audit tool - Server relay package
Rudder is an open source configuration management and audit solution.
.
This package is required to setup a Rudder relay server.
This package is required to setup a Rudder policy server.
rudder-server-relay/debian/links
/etc/apache2/sites-available/rudder-relay-vhost /etc/apache2/sites-available/rudder-relay-vhost.conf
/etc/apache2/sites-available/rudder-relay-vhost-ssl /etc/apache2/sites-available/rudder-relay-vhost-ssl.conf
rudder-server-relay/debian/postinst
echo " Done"
fi
SITES_TO_DISABLE="default 000-default default-ssl"
SITES_TO_ENABLE="rudder-relay-vhost rudder-relay-vhost-ssl"
SITES_TO_DISABLE="default 000-default default-ssl rudder-vhost rudder-vhost-ssl rudder-relay-vhost rudder-relay-vhost-ssl"
SITES_TO_ENABLE="rudder"
MODULES_TO_ENABLE="dav dav_fs ssl wsgi"
......
htpasswd -bc ${passwdfile} rudder rudder >/dev/null 2>&1
done
# Generate the SSL certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder-relay.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder-relay.key ]; then
# Migrate existing certificates
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
for source in relay webapp; do
if [ -f /opt/rudder/etc/ssl/rudder-${source}.crt ] && [ -f /opt/rudder/etc/ssl/rudder-${source}.key ]; then
echo -n "INFO: Importing existing ${source} certificates..."
mv /opt/rudder/etc/ssl/rudder-${source}.crt /opt/rudder/etc/ssl/rudder.crt
mv /opt/rudder/etc/ssl/rudder-${source}.key /opt/rudder/etc/ssl/rudder.key
echo " Done"
fi
done
fi
# Generate certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder.key ]; then
echo -n "INFO: No usable SSL certificate detected for Rudder relay HTTP/S support, generating one automatically..."
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-relay.key -out /opt/rudder/etc/ssl/rudder-relay.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
chgrp www-data /opt/rudder/etc/ssl/rudder-relay.key && chmod 640 /opt/rudder/etc/ssl/rudder-relay.key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder.key -out /opt/rudder/etc/ssl/rudder.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
chgrp www-data /opt/rudder/etc/ssl/rudder.key && chmod 640 /opt/rudder/etc/ssl/rudder.key
echo " Done"
fi
# Move old virtual hosts out of the way
for OLD_VHOST in rudder-default rudder-default-ssl rudder-vhost.conf rudder-vhost-ssl.conf rudder-relay-vhost.conf rudder-relay-vhost-ssl.conf; do
if [ -f /etc/apache2/sites-available/${OLD_VHOST} ]; then
echo -n "INFO: An old rudder virtual host file has been detected (${OLD_VHOST}), it will be moved to /var/backups."
mkdir -p /var/backups
mv /etc/apache2/sites-available/${OLD_VHOST} /var/backups/${OLD_VHOST}-$(date +%s)
echo " Done"
fi
done
echo -n "INFO: Restarting Apache HTTPd..."
service apache2 restart >/dev/null 2>&1
echo " Done"
......
echo "*****************************************************************************************"
echo "INFO: rudder-server-relay setup complete. "
echo "INFO: "
echo "INFO: Now run '/opt/rudder/bin/rudder-node-to-relay $(cat /opt/rudder/etc/uuid.hive)' "
echo "INFO: on your root server to complete this node transition to a relay server. "
echo "INFO: "
echo "INFO: Please look at the documentation for details (Section 'Relay servers') "
echo "INFO: * If you are installing a root server, configuration is automatically done "
echo "INFO: * If you are installing a simple relay, run: "
echo "INFO: '/opt/rudder/bin/rudder-node-to-relay $(cat /opt/rudder/etc/uuid.hive)' "
echo "INFO: on your root server to complete this node transition to a relay server. "
echo "INFO: Please look at the documentation for details (Section 'Relay servers') "
echo "*****************************************************************************************"
fi
rudder-server-relay/debian/rules
dh_installchangelogs
# dh_installdocs
# dh_installexamples
cp $(CURDIR)/SOURCES/rudder-relay-vhost.conf $(CURDIR)/BUILD/rudder-relay-vhost
cp $(CURDIR)/SOURCES/rudder-relay-vhost-ssl.conf $(CURDIR)/BUILD/rudder-relay-vhost-ssl
dh_install --SOURCEDIR=$(CURDIR)/BUILD/ rudder-relay-vhost /etc/apache2/sites-available/
dh_install --SOURCEDIR=$(CURDIR)/BUILD/ rudder-relay-vhost-ssl /etc/apache2/sites-available/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-relay-apache-common.conf /opt/rudder/etc/
cp $(CURDIR)/SOURCES/rudder-relay-vhost.conf $(CURDIR)/BUILD/rudder
dh_install --SOURCEDIR=$(CURDIR)/BUILD/ rudder /etc/apache2/sites-available/rudder
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-apache-relay-common.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-24.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api relay_api/ /opt/rudder/share/relay-api/
rudder-webapp/SOURCES/rudder-apache-webapp-common.conf
# Prevent Chrome loop detection to block the page after too many
# page reloads.
<LocationMatch "/rudder">
Header add X-Chrome-Exponential-Throttling "disable"
</LocationMatch>
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# Prevent the apache logs from beeing cluttered by 404 errors
# due to a missing robots.txt file.
Alias /robots.txt /opt/rudder/share/load-page/robots.txt
# Nice loading page if the Java server is not ready
Alias /images /opt/rudder/share/load-page/images
Alias /files /opt/rudder/share/load-page/files
Alias /rudder-loading.html /opt/rudder/share/load-page/rudder-loading.html
Alias /rudder-not-loaded.html /opt/rudder/share/load-page/rudder-not-loaded.html
ErrorDocument 503 /rudder-loading.html
ErrorDocument 404 /rudder-not-loaded.html
ProxyErrorOverride On
<IfVersion >= 2.4>
<Location /rudder/api>
ProxyErrorOverride Off
</Location>
<Location /rudder/secure/api>
ProxyErrorOverride Off
</Location>
<Location /rudder/relay-api>
ProxyErrorOverride Off
</Location>
<Location /inventories>
ProxyErrorOverride Off
</Location>
<Location /inventory-updates>
ProxyErrorOverride Off
</Location>
<Location /uuid>
ProxyErrorOverride Off
</Location>
</IfVersion>
# Enforce permissive access to the load page directory
<Directory /opt/rudder/share/load-page>
<IfVersion < 2.4>
Order deny,allow
Allow From all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
# Deny the use of legacy API if using X-API-Version which is not '1'
SetEnvIf X-API-Version "[^1]" api_deny
# NO access to the status and archiving API unless you are localhost
<LocationMatch "^/rudder/api/(status|archives)$">
<IfVersion < 2.4>
Order allow,deny
Allow from localhost
Deny from env=api_deny
</IfVersion>
<IfVersion >= 2.4>
<RequireAll>
Require local
Require not env api_deny
</RequireAll>
</IfVersion>
</LocationMatch>
# NO access to the reloading API either unless you are localhost
<LocationMatch "^/rudder/api/(techniqueLibrary|dyngroup|deploy)/reload$">
<IfVersion < 2.4>
Order allow,deny
Allow from localhost
Deny from env=api_deny
</IfVersion>
<IfVersion >= 2.4>
<RequireAll>
Require local
Require not env api_deny
</RequireAll>
</IfVersion>
</LocationMatch>
# Note: The preceding statements are here for compatibility purpose and will
# be removed in a future version of Rudder, which will enforce authenticated
# calls to every API part.
# Link to Rudder documentation
Alias /rudder-doc /usr/share/doc/rudder/html
<Directory /usr/share/doc/rudder/html>
<IfVersion < 2.4>
Order deny,allow
Allow From all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
rudder-webapp/SOURCES/rudder-apache-webapp-nossl.conf
# Rudder webapp
RewriteEngine on
# Rule 1 - If hitting the server root, redirect to Rudder
RewriteRule ^/$ /rudder [R]
# Rule 2 - If we are not currently connected via HTTP/S
RewriteCond %{HTTPS} !=on
# Rule 2 - Don't use HTTP/S for these URLs to avoid breaking the compatibility for cURL
# clients (especially in Techniques)
RewriteCond %{REQUEST_URI} !^/rudder-(not-loaded|loading).html
RewriteCond %{REQUEST_URI} !^/uuid
RewriteCond %{REQUEST_URI} !^/inventories/?
RewriteCond %{REQUEST_URI} !^/inventory-updates/?
RewriteCond %{REQUEST_URI} !^/api/?
# Rule 2 - Restrict redirection to Rudder webapp
RewriteCond %{REQUEST_URI} ^/rudder/?
# Rule 2 - Redirect to HTTP/S
RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R]
rudder-webapp/SOURCES/rudder-apache-webapp-ssl.conf
# Rudder webapp
RewriteEngine on
RewriteRule ^/$ /rudder [R]
ProxyPass "/rudder" "http://localhost:8080/rudder" retry=0
ProxyPassReverse "/rudder" "http://localhost:8080/rudder"
ProxyRequests Off
# Local reverse proxy authorization override
# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
<Proxy http://localhost:8080/rudder*>
<IfVersion < 2.4>
Order deny,allow
Allow From all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Proxy>
rudder-webapp/SOURCES/rudder-networks-24.conf
Require all denied
rudder-webapp/SOURCES/rudder-networks.conf
Deny from all
rudder-webapp/SOURCES/rudder-webapp-apache
# Apache modules
APACHE_MODULES="${APACHE_MODULES} rewrite dav dav_fs proxy proxy_http headers ssl version"
# Apache configuration flags
APACHE_SERVER_FLAGS="${APACHE_SERVER_FLAGS} SSL"
rudder-webapp/SPECS/rudder-webapp.spec
#
#####################################################################################
#=================================================
# Specification file for rudder-webapp
#
# Installs Rudder's WAR files
#
# Copyright (C) 2011 Normation
#=================================================
#=================================================
# Variables
#=================================================
......
Source1: rudder-users.xml
Source2: rudder.xml
Source3: rudder-networks.conf
Source4: rudder-networks-24.conf
Source5: rudder-upgrade
Source7: rudder-webapp
Source8: rudder-web
......
Source21: rudder-webapp.fc
Source22: rudder-keys
Source23: .gitignore
Source24: rudder-webapp-apache
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
# Dependencies
Requires: rudder-techniques = %{real_epoch}:%{real_version}, ncf, ncf-api-virtualenv, %{apache}, %{apache_tools}, git-core, rsync, openssl, %{ldap_clients}
Requires: rudder-techniques = %{real_epoch}:%{real_version}, rudder-server-relay = %{real_epoch}:%{real_version}, ncf, ncf-api-virtualenv, %{apache}, %{apache_tools}, git-core, rsync, openssl, %{ldap_clients}
# We need the PostgreSQL client utilities so that we can run database checks and upgrades (rudder-upgrade, in particular)
Requires: postgresql >= 8.4
......
rm -rf %{buildroot}
mkdir -p %{buildroot}%{rudderdir}/etc/
mkdir -p %{buildroot}%{rudderdir}/etc/ssl/
mkdir -p %{buildroot}%{rudderdir}/etc/plugins/
mkdir -p %{buildroot}%{rudderdir}/etc/server-roles.d/
mkdir -p %{buildroot}%{rudderdir}/etc/hooks.d/
......
mkdir -p %{buildroot}%{rudderdir}/share/upgrade-tools/
mkdir -p %{buildroot}%{rudderdir}/share/certificates/
mkdir -p %{buildroot}%{rudderdir}/share/selinux/
mkdir -p %{buildroot}%{ruddervardir}/inventories/incoming
mkdir -p %{buildroot}%{ruddervardir}/inventories/accepted-nodes-updates
mkdir -p %{buildroot}%{ruddervardir}/inventories/received
mkdir -p %{buildroot}%{ruddervardir}/inventories/failed
mkdir -p %{buildroot}%{ruddervardir}/configuration-repository/ncf/ncf-hooks.d
......
cp -rf %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/load-page %{buildroot}%{rudderdir}/share/
cp %{_sourcedir}/rudder-sources/rudder/rudder-core/src/test/resources/script/cfe-red-button.sh %{buildroot}%{rudderdir}/bin/
cp %{_sourcedir}/rudder-sources/rudder/rudder-core/src/main/resources/reportsInfo.xml %{buildroot}%{rudderdir}/etc/
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/rudder-apache-common.conf %{buildroot}%{rudderdir}/etc/rudder-apache-common.conf
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/rudder-vhost.conf %{buildroot}/etc/%{apache_vhost_dir}/rudder-vhost.conf
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/rudder-vhost-ssl.conf %{buildroot}/etc/%{apache_vhost_dir}/rudder-vhost-ssl.conf
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/apache2-sysconfig %{buildroot}/etc/sysconfig/rudder-apache
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/rudder-apache-webapp-common.conf %{buildroot}%{rudderdir}/etc/rudder-apache-webapp-common.conf
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/rudder-apache-webapp-ssl.conf %{buildroot}%{rudderdir}/etc/rudder-apache-webapp-ssl.conf
cp %{_sourcedir}/rudder-sources/rudder/rudder-web/src/main/resources/rudder-apache-webapp-nossl.conf %{buildroot}%{rudderdir}/etc/rudder-apache-webapp-no-ssl.conf
cp %{SOURCE24} %{buildroot}/etc/sysconfig/rudder-webapp-apache
cp -r %{_sourcedir}/rudder-sources/rudder/rudder-core/src/main/resources/hooks.d %{buildroot}%{rudderdir}/etc/
install -m 644 %{SOURCE2} %{buildroot}%{rudderdir}/share/webapps/
# Copy stub rudder-networks*.conf
cp %{SOURCE3} %{buildroot}%{rudderdir}/etc/
cp %{SOURCE4} %{buildroot}%{rudderdir}/etc/
%if 0%{?suse_version}
# On SLES, change the Apache DocumentRoot to the OS default
sed -i "s%^DocumentRoot /var/www$%DocumentRoot /srv/www%" %{buildroot}%{rudderdir}/etc/rudder-apache-common.conf
%endif
# Install upgrade tools and migration scripts
## SQL
......
# Add required includes in the SLES apache2 configuration
%if 0%{?suse_version}
if ! grep -qE "^. /etc/sysconfig/rudder-apache$" /etc/sysconfig/apache2
if ! grep -qE "^. /etc/sysconfig/rudder-webapp-apache$" /etc/sysconfig/apache2
then
echo -e '# This sources the modules/defines needed by Rudder\n. /etc/sysconfig/rudder-apache' >> /etc/sysconfig/apache2
echo -e '# This sources the modules/defines needed by Rudder\n. /etc/sysconfig/rudder-webapp-apache' >> /etc/sysconfig/apache2
fi
%endif
# Update /etc/sysconfig/apache2 in case an old module loading entry has already been created by Rudder
if [ -f /etc/sysconfig/apache2 ] && grep -q 'APACHE_MODULES="${APACHE_MODULES} rewrite dav dav_fs proxy proxy_http' /etc/sysconfig/apache2
then
echo "INFO: Upgrading the /etc/sysconfig/apache2 file, Rudder needed modules for Apache are now listed in /etc/sysconfig/rudder-apache"
sed -i 's%APACHE_MODULES="${APACHE_MODULES} rewrite dav dav_fs proxy proxy_http.*%# This sources the Rudder needed by Rudder\n. /etc/sysconfig/rudder-apache%' /etc/sysconfig/apache2
echo "INFO: Upgrading the /etc/sysconfig/apache2 file, Rudder needed modules for Apache are now listed in /etc/sysconfig/rudder-relay-apache"
sed -i 's%APACHE_MODULES="${APACHE_MODULES} rewrite dav dav_fs proxy proxy_http.*%# This sources the Rudder needed by Rudder\n. /etc/sysconfig/rudder-relay-apache%' /etc/sysconfig/apache2
fi
# Add right to apache user to access /var/rudder/inventories/incoming
# Add perms on tools and inventories
chmod 751 /var/rudder/inventories
chown root:%{apache_group} %{ruddervardir}/inventories/incoming
chmod 2770 %{ruddervardir}/inventories/incoming
chown root:%{apache_group} %{ruddervardir}/inventories/accepted-nodes-updates
chmod 2770 %{ruddervardir}/inventories/accepted-nodes-updates
chmod 755 -R %{rudderdir}/share/tools
chmod 655 -R %{rudderdir}/share/load-page
%{htpasswd_cmd} -bc %{rudderdir}/etc/htpasswd-webdav-initial rudder rudder >/dev/null 2>&1
%{htpasswd_cmd} -bc %{rudderdir}/etc/htpasswd-webdav rudder rudder >/dev/null 2>&1
# If the current Rudder HTTPd configuration uses /var/log/rudder/httpd, change it
for i in /etc/%{apache_vhost_dir}/rudder-*.conf
do
if grep -q /var/log/rudder/httpd "${i}"; then
echo -n "INFO: Old logging configuration detected in ${i}, changing to log into %{rudderlogdir}/apache2..."
sed -i "s%/var/log/rudder/httpd/\(.*\).log%/var/log/rudder/apache2/\1.log%" "${i}"
echo " Done"
fi
done
# If this machine has old logging entries on RHEL, migrate them.
if [ -d %{rudderlogdir}/httpd ]; then
echo -n "INFO: Old logging directory detected (%{rudderlogdir}/httpd), migrating to %{rudderlogdir}/apache2..."
mkdir -p %{rudderlogdir}/apache2
mv %{rudderlogdir}/httpd/* %{rudderlogdir}/apache2/
rmdir %{rudderlogdir}/httpd
echo " Done"
fi
# Move old virtual hosts out of the way
for OLD_VHOST in rudder-default rudder-default-ssl rudder-default.conf rudder-default-ssl.conf; do
if [ -f /etc/%{apache_vhost_dir}/${OLD_VHOST} ]; then
echo -n "INFO: An old rudder virtual host file has been detected (${OLD_VHOST}), it will be moved to /var/backups."
mkdir -p /var/backups
mv /etc/%{apache_vhost_dir}/${OLD_VHOST} /var/backups/${OLD_VHOST}-$(date +%s)
echo " Done"
fi
done
# Generate the SSL certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder-webapp.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder-webapp.key ]; then
echo -n "INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically..."
openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
chgrp %{apache_group} /opt/rudder/etc/ssl/rudder-webapp.key && chmod 640 /opt/rudder/etc/ssl/rudder-webapp.key
echo " Done"
fi
%if 0%{?rhel} || 0%{?fedora}
# SELinux support
# Check "sestatus" presence, and if here tweak our installation to be
......
# Remove required includes in the SLES apache2 configuration
if [ -f /etc/sysconfig/apache2 ]; then
sed -i "/# This sources the modules\/defines needed by Rudder/d" /etc/sysconfig/apache2
sed -i "/. \/etc\/sysconfig\/rudder-apache/d" /etc/sysconfig/apache2
sed -i "/. \/etc\/sysconfig\/rudder-webapp-apache/d" /etc/sysconfig/apache2
# Also remove an older comment that was erroneously added until 2.11.21 / 3.0.16 / 3.1.10 / 3.2.3
sed -i "/# This sources the configuration file needed by Rudder/d" /etc/sysconfig/apache2
......
%{ruddervardir}/configuration-repository/ncf/ncf-hooks.d
%{rudderlogdir}/apache2/
/etc/%{apache_vhost_dir}/
%config %{rudderdir}/etc/rudder-apache-common.conf
%config(noreplace) /etc/%{apache_vhost_dir}/rudder-vhost.conf
%config(noreplace) /etc/%{apache_vhost_dir}/rudder-vhost-ssl.conf
%config(noreplace) %{rudderdir}/etc/rudder-networks.conf
%config(noreplace) %{rudderdir}/etc/rudder-networks-24.conf
%config(noreplace) /etc/sysconfig/rudder-apache
%config %{rudderdir}/etc/rudder-apache-webapp.conf
%config(noreplace) /etc/sysconfig/rudder-webapp-apache
/usr/share/doc/rudder
#=================================================
rudder-webapp/debian/conffiles
/opt/rudder/etc/rudder-web.properties
/opt/rudder/etc/rudder-users.xml
/opt/rudder/etc/logback.xml
/opt/rudder/etc/rudder-apache-common.conf
/etc/apache2/sites-available/rudder-vhost
/etc/apache2/sites-available/rudder-vhost-ssl
/opt/rudder/etc/rudder-apache-webapp-common.conf
/opt/rudder/etc/rudder-networks.conf
/opt/rudder/etc/rudder-networks-24.conf
/opt/rudder/etc/rudder-passwords.conf
rudder-webapp/debian/control
Package: rudder-webapp
Architecture: all
Depends: ${shlibs:Depends}, ${misc:Depends}, rudder-jetty | jetty | jetty8, rudder-techniques (>= ${binary:Version}), apache2, apache2-utils, ncf, git-core, rsync, lsb-release, openssl, ldap-utils, postgresql-client (>=8.4), ncf-api-virtualenv
# Begin takeover config: in version 2.11, rudder-webapp took over several files from rudder-server-root
# See http://www.rudder-project.org/redmine/issues/4654
Replaces: rudder-server-root (<< 2.11)
Breaks: rudder-server-root (<< 2.11)
# End takeover config
Depends: ${shlibs:Depends}, ${misc:Depends}, rudder-jetty | jetty | jetty8, rudder-techniques (= ${binary:Version}), rudder-server-relay (= ${binary:Version}), apache2, apache2-utils, ncf, git-core, rsync, lsb-release, openssl, ldap-utils, postgresql-client (>=8.4), ncf-api-virtualenv
Description: Configuration management and audit tool - webapp
Rudder is an open source configuration management and audit solution.
.
rudder-webapp/debian/dirs
opt/rudder/share/certificates
opt/rudder/share/selinux
opt/rudder/etc
opt/rudder/etc/ssl
opt/rudder/etc/plugins
opt/rudder/etc/hooks.d
opt/rudder/share/tools
......
var/rudder/lock
var/rudder/tools
var/rudder/run
var/rudder/inventories/accepted-nodes-updates
var/rudder/inventories/incoming
var/rudder/inventories/received
var/rudder/inventories/failed
var/rudder/inventories/historical
rudder-webapp/debian/postinst
invoke-rc.d rsyslog restart >/dev/null 2>&1
echo "Done"
# Get the current apache version
APACHE_VERSION=$(apache2 -v|grep Apache|sed "s%^.*Apache/\([0-9].[0-9]\).*%\1%")
SITES_TO_DISABLE="default 000-default default-ssl rudder-default rudder-default-ssl"
SITES_TO_ENABLE="rudder-vhost rudder-vhost-ssl"
MODULES_TO_ENABLE="dav_fs rewrite proxy_http headers ssl"
MODULES_TO_ENABLE="rewrite proxy_http headers ssl"
# This module is compiled in core in some distro (debian)
a2enmod version >/dev/null 2>&1 || true
# Migration: Clean up old vhosts if we are running Apache 2.4
if [ ${APACHE_VERSION} = 2.4 ]
then
for i in ${SITES_TO_ENABLE}
do
[ ! -e /etc/apache2/sites-enabled/${i} ] || rm -f /etc/apache2/sites-enabled/${i}
done
fi
for dissite in ${SITES_TO_DISABLE}
do
a2dissite ${dissite} >/dev/null 2>&1 || true
done
for ensite in ${SITES_TO_ENABLE}
do
a2ensite ${ensite} >/dev/null 2>&1
done
for enmod in ${MODULES_TO_ENABLE}
do
a2enmod ${enmod} >/dev/null 2>&1
done
# Add right to apache user to access /var/rudder/inventories/incoming
# Add perms on tools and inventories
chmod 751 /var/rudder/inventories
chown root:www-data /var/rudder/inventories/incoming
chmod 2770 /var/rudder/inventories/incoming
chown root:www-data /var/rudder/inventories/accepted-nodes-updates
chmod 2770 /var/rudder/inventories/accepted-nodes-updates
chmod 755 -R /opt/rudder/share/tools
htpasswd -bc /opt/rudder/etc/htpasswd-webdav-initial rudder rudder >/dev/null 2>&1
htpasswd -bc /opt/rudder/etc/htpasswd-webdav rudder rudder >/dev/null 2>&1
# Move old virtual hosts out of the way
for OLD_VHOST in rudder-default rudder-default-ssl; do
if [ -f /etc/apache2/sites-available/${OLD_VHOST} ]; then
echo -n "INFO: An old rudder virtual host file has been detected (${OLD_VHOST}), it will be moved to /var/backups."
mkdir -p /var/backups
mv /etc/apache2/sites-available/${OLD_VHOST} /var/backups/${OLD_VHOST}-$(date +%s)
echo " Done"
fi
done
# Generate the SSL certificates if needed
if [ ! -f /opt/rudder/etc/ssl/rudder-webapp.crt ] || [ ! -f /opt/rudder/etc/ssl/rudder-webapp.key ]; then
echo -n "INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically..."
openssl req -new -x509 -newkey rsa:2048 -subj "/C=FR/ST=France/L=Paris/CN=$(hostname --fqdn)/emailAddress=root@$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256 >/dev/null 2>&1
chgrp www-data /opt/rudder/etc/ssl/rudder-webapp.key && chmod 640 /opt/rudder/etc/ssl/rudder-webapp.key
echo " Done"
fi
echo -n "INFO: Restarting Apache HTTPd..."
/etc/init.d/apache2 restart >/dev/null 2>&1
echo " Done"
rudder-webapp/debian/rules
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-core/src/test/resources/script/ cfe-red-button.sh /opt/rudder/bin/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-core/src/main/resources/ reportsInfo.xml /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/ load-page/ /opt/rudder/share/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/ rudder-apache-common.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/ rudder-apache-webapp-common.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/ rudder-apache-webapp-ssl.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/ rudder-apache-webapp-nossl.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/rudder-sources/rudder/rudder-core/src/main/resources/ hooks.d/ /opt/rudder/etc/
cp $(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/rudder-vhost.conf $(CURDIR)/BUILD/rudder-vhost
cp $(CURDIR)/SOURCES/rudder-sources/rudder/rudder-web/src/main/resources/rudder-vhost-ssl.conf $(CURDIR)/BUILD/rudder-vhost-ssl
dh_install --SOURCEDIR=$(CURDIR)/BUILD/ rudder-vhost /etc/apache2/sites-available/
dh_install --SOURCEDIR=$(CURDIR)/BUILD/ rudder-vhost-ssl /etc/apache2/sites-available/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder.xml /opt/rudder/share/webapps/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-24.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-passwords.conf /opt/rudder/etc/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-webapp /opt/rudder/etc/server-roles.d/
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-web /opt/rudder/etc/server-roles.d/

Also available in: Unified diff