chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

[horizon] Better Apache module enablement

Open odyssey4me opened this issue 10 years ago • 6 comments

The code https://github.com/rcbops-cookbooks/horizon/blob/master/recipes/server.rb#L52-L54 should actually be replaced with something that sets (or merges) node['apache']['default_modules'] in order to let the Apache cookbook do the recipe includes.

odyssey4me avatar Mar 28 '14 07:03 odyssey4me

@odyssey4me Did you ever drop in any code for this on your end?

claco avatar Jun 25 '14 14:06 claco

@claco Hmm... for something I was working with, but never quite got done, I have this:

environment file:

    "apache": {
      "default_modules": [ "status", "alias", "auth_basic", "authn_file",
                           "authz_default", "authz_groupfile", "authz_host",
                           "authz_user", "dir", "env", "mime", "negotiation",
                           "setenvif", "proxy", "proxy_http", "rewrite",
                           "wsgi", "ssl" ],
      "serversignature": "Off",
      "traceenable": "Off"
    },

horizon server recipe file:

include_recipe "apache2"
#include_recipe "apache2::mod_wsgi"
#include_recipe "apache2::mod_rewrite"
#include_recipe "apache2::mod_ssl"

# ensure that autoindex is off
apache_module "autoindex" do
  enable false
end

Note that this was work done for grizzly, so it may need some tweaking... but it'll get you going. :)

Also note that you may not want the [ "proxy", "proxy_http" ] modules in the rcbops use-case as you're not using reverse proxy (we are).

I would think that the best approach would be to have the apache attributes set as overrides in the horizon role (or an appropriate role) to prevent having to do so in the environment for each setup.

The autoindex disable is to absolutely make sure that Chef disables it (we wanted that - recommendation from security team) even if the platform has it enabled by default in the packaging.

HTH - sorry, but I don't have a test environment at the moment to actually put together a commit and PR it :(

odyssey4me avatar Jun 25 '14 15:06 odyssey4me

@odyssey4me honestly, just wondering if it's worth dropping int 4.3.2rc.

claco avatar Jun 25 '14 15:06 claco

It's not essential, just an efficiency thing really - I implemented this because I kept seeing the chef run redo the configs over and over again. Also, getting the security bits right was important for us as we're running more publicly than the standard rcbops use-case.

odyssey4me avatar Jun 25 '14 16:06 odyssey4me

Yeah, good point on the autoindex thing.

claco avatar Jun 25 '14 16:06 claco

So it seems that by using the default modules attr, we're actually introducing more complexity. Now we have to worry about where the array is merged, and tweaked, and defaulted, and overridden. In contrast, the current code simply declares that no matter what other things have happened, we need to specifically ensure those 3 modules are enabled. I could just be being obtuse. :-)

So with that said, I'll likely leave the include code. Want to say that the restarts, at least in havana were the ports.conf always reordering. I don't see any unnecessary restarts at this poiint.

claco avatar Jun 25 '14 18:06 claco