path: root/apache/apache-ssl.cf

#! /usr/bin/cfengine -qvf

control:
    OutputPrefix    = ("${cf_prefix}")
    actionsequence  = ( editfiles shellcommands processes )
    AddInstallable  = ( apache_ssl_reload )
    EditfileSize    = ( 50000 )

editfiles:
    any::
    { /etc/apache-ssl/httpd.conf
        DefineClasses "apache_ssl_reload"
        #
        # ServerAdmin webmaster@$(domain)
        #
        # (Try to add it _before_ virtual hosts)
        #
        WarnIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
        BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
            BeginGroupIfNoLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
                Append "ServerAdmin webmaster@$(domain)"
            EndGroup
            BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
                LocateLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
                InsertLine "ServerAdmin webmaster@$(domain)"
            EndGroup
        EndGroup
        LocateLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]].*"
        BeginGroupIfNoLineMatching "^[[:blank:]]*ServerAdmin[[:blank:]]*webmaster@$(domain)[[:blank:]]*$"
            ReplaceLineWith "ServerAdmin webmaster@$(domain)"
        EndGroup
        #
        # Make space for cfengine hacks
        #
        # (Try to add it _before_ virtual hosts)
        #
        ResetSearch "1"
        BeginGroupIfNoSuchLine "# BEGIN CFENGINE"
            BeginGroupIfNoLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
                Append ""
                Append "# BEGIN CFENGINE"
                Append "# END CFENGINE"
            EndGroup
            BeginGroupIfNoLineMatching "^# BEGIN CFENGINE$"
                LocateLineMatching "^(### Section 3: Virtual Hosts|#?NameVirtualHost.*|#?VirtualHost.*)$"
                IncrementPointer "-1"
                InsertLine ""
                InsertLine "# BEGIN CFENGINE"
                InsertLine "# END CFENGINE"
                InsertLine ""
            EndGroup
        EndGroup
        #
        # LoadModule php3_module /usr/lib/apache/1.3/libphp3.so
        #
        # <IfModule libphp3.c>
        #   php3_display_errors off
        #   php3_log_errors on
        #   AddType application/x-httpd-php3 .php3
        #   AddType application/x-httpd-php3-source .phps
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/libphp3.so"
            ResetSearch "1"
# bug!          UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php3_module[[:blank:]].*"
            LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php3_module[[:blank:]]+/usr/lib/apache/1.3/libphp3.so$"
            ReplaceLineWith "LoadModule php3_module /usr/lib/apache/1.3/libphp3.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule libphp3.c>"
                InsertLine "<IfModule libphp3.c>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule libphp3.c>$"
            BeginGroupIfNoLineMatching "[[:blank:]]*php3_display_errors off"
                InsertLine "    php3_display_errors off"
            EndGroup
            BeginGroupIfNoLineMatching "[[:blank:]]*php3_log_errors on"
                InsertLine "    php3_log_errors on"
            EndGroup
            BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-php3 .php3"
                InsertLine "    AddType application/x-httpd-php3 .php3"
            EndGroup
            BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-source .phps"
                InsertLine "    AddType application/x-httpd-source .phps"
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
        #
        # <IfModule libphp4.c>
        #   php_flag display_errors off
        #   php_flag log_errors on
        #   AddType application/x-httpd-php .phtml .php .inc .php3
        #   AddType application/x-httpd-php-source .phps
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/libphp4.so"
            ResetSearch "1"
#           UnCommentLinesMatching "^\#[[:blank:]]*LoadModule[[:blank:]]+php4\_module[[:blank:]].*"
            LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+php4\_module[[:blank:]]+/usr/lib/apache/1.3/libphp4.so$"
            ReplaceLineWith "LoadModule php4_module /usr/lib/apache/1.3/libphp4.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule libphp4.c>"
                InsertLine "<IfModule libphp4.c>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule libphp4.c>$"
            BeginGroupIfNoLineMatching "^.*php_flag[[:blank:]]*display_errors[[:blank:]]*off$"
                InsertLine "    php_flag display_errors off"
            EndGroup
            BeginGroupIfNoLineMatching ".*php_flag log_errors on"
                InsertLine "    php_flag log_errors on"
            EndGroup
            BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-php .phtml .php .inc .php3"
                InsertLine "    AddType application/x-httpd-php .phtml .php .inc .php3"
            EndGroup
            BeginGroupIfNoLineMatching "[[:blank:]]*AddType application/x-httpd-source .phps"
                InsertLine "    AddType application/x-httpd-source .phps"
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so
        #
        # <IfModule mod_gzip.c>
        #   mod_gzip_dechunk yes
        #   mod_gzip_keep_workfiles No
        #   mod_gzip_temp_dir /tmp
        #   mod_gzip_minimum_file_size 1002
        #   mod_gzip_maximum_file_size 0
        #   mod_gzip_maximum_inmem_size 1000000
        #   mod_gzip_item_include file "\.htm$"
        #   mod_gzip_item_include file "\.html$"
        #   mod_gzip_item_include mime "text/.*"
        #   mod_gzip_item_include file "\.php$"
        #   mod_gzip_item_include mime "jserv-servlet"
        #   mod_gzip_item_include handler "jserv-servlet"
        #   mod_gzip_item_include mime "application/x-httpd-php.*"
        #   mod_gzip_item_include mime "httpd/unix-directory"
        #   mod_gzip_item_exclude file "\.css$"
        #   mod_gzip_item_exclude file "\.js$"
        #   mod_gzip_item_exclude file "\.wml$"
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_gzip.so"
            ResetSearch "1"
#           SetCommentStart "#"
#           SetCommentEnd ""
#           UnCommentLinesMatching "^\#[[:blank:]]*LoadModule[[:blank:]]+gzip_module[[:blank:]].*"
            LocateLineMatching "#[[:blank:]]*LoadModule[[:blank:]]+gzip_module[[:blank:]]+/usr/lib/apache/1.3/mod_gzip.so"
#           UnCommentNLines "1"
            ReplaceLineWith "LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule mod_gzip.c>"
                InsertLine "<IfModule mod_gzip.c>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule mod_gzip.c>$"
            BeginGroupIfNoLineMatching '    mod_gzip_on yes'
                InsertLine '    mod_gzip_on yes'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_dechunk yes'
                InsertLine '    mod_gzip_dechunk yes'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_keep_workfiles No'
                InsertLine '    mod_gzip_keep_workfiles No'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_temp_dir /tmp'
                InsertLine '    mod_gzip_temp_dir /tmp'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_minimum_file_size 1002'
                InsertLine '    mod_gzip_minimum_file_size 1002'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_maximum_file_size 0'
                InsertLine '    mod_gzip_maximum_file_size 0'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_maximum_inmem_size 1000000'
                InsertLine '    mod_gzip_maximum_inmem_size 1000000'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.htm\$"'
                InsertLine '    mod_gzip_item_include file "\.htm$"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.html\$"'
                InsertLine '    mod_gzip_item_include file "\.html$"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "text/\.\*"'
                InsertLine '    mod_gzip_item_include mime "text/.*"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include file "\\\.php\$"'
                InsertLine '    mod_gzip_item_include file "\.php$"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "jserv-servlet"'
                InsertLine '    mod_gzip_item_include mime "jserv-servlet"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include handler "jserv-servlet"'
                InsertLine '    mod_gzip_item_include handler "jserv-servlet"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "application/x-httpd-php\.\*"'
                InsertLine '    mod_gzip_item_include mime "application/x-httpd-php.*"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_include mime "httpd/unix-directory"'
                InsertLine '    mod_gzip_item_include mime "httpd/unix-directory"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.css\$"'
                InsertLine '    mod_gzip_item_exclude file "\.css$"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.js\$"'
                InsertLine '    mod_gzip_item_exclude file "\.js$"'
            EndGroup
            BeginGroupIfNoLineMatching '[[:blank:]]*mod_gzip_item_exclude file "\\\.wml\$"'
                InsertLine '    mod_gzip_item_exclude file "\.wml$"'
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # LoadModule index_rss_module /usr/lib/apache/1.3/mod_index_rss.so
        #
        # <IfModule mod_index_rss.c>
        #   IndexRSSEngine On
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_index_rss.so"
            ResetSearch "1"
# bug!          UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+index_rss_module[[:blank:]].*"
            LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+index_rss_module[[:blank:]]+/usr/lib/apache/1.3/mod_index_rss.so$"
            ReplaceLineWith "LoadModule index_rss_module /usr/lib/apache/1.3/mod_index_rss.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule mod_index_rss.c>"
                InsertLine "<IfModule mod_index_rss.c>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule mod_index_rss.c>$"
            BeginGroupIfNoLineMatching "[[:blank:]]+IndexRSSEngine On"
                InsertLine "    IndexRSSEngine On"
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so
        #
        # <IfModule mod_auth_pam.c>
        #   <Location />
        #       AuthPAM_Enabled Off
        #   </Location>
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_auth_pam.so"
            ResetSearch "1"
# bug!          UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+pam_auth_module[[:blank:]].*"
            LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+pam_auth_module[[:blank:]]+/usr/lib/apache/1.3/mod_auth_pam.so$"
            ReplaceLineWith "LoadModule pam_auth_module /usr/lib/apache/1.3/mod_auth_pam.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule mod_auth_pam.c>"
                InsertLine "<IfModule mod_auth_pam.c>"
                InsertLine "    <Location />"
                InsertLine "    </Location>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule mod_auth_pam.c>$"
            LocateLineMatching "[[:blank:]]+<Location />"
            BeginGroupIfNoLineMatching "[[:blank:]]+AuthPAM_Enabled Off"
                InsertLine "        AuthPAM_Enabled Off"
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # LoadModule authshadow_module /usr/lib/apache/1.3/mod_auth_shadow.so
        #
        # <IfModule mod_auth_shadow.c>
        #   <Location />
        #       AuthShadow Off
        #   </Location>
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_auth_shadow.so"
            ResetSearch "1"
# bug!          UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+authshadow_module[[:blank:]].*"
            LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+authshadow_module[[:blank:]]+/usr/lib/apache/1.3/mod_auth_shadow.so$"
            ReplaceLineWith "LoadModule authshadow_module /usr/lib/apache/1.3/mod_auth_shadow.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule mod_auth_shadow.c>"
                InsertLine "<IfModule mod_auth_shadow.c>"
                InsertLine "    <Location />"
                InsertLine "    </Location>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule mod_auth_shadow.c>$"
            LocateLineMatching "[[:blank:]]+<Location />"
            BeginGroupIfNoLineMatching "[[:blank:]]+AuthShadow Off"
                InsertLine "        AuthShadow Off"
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # LoadModule xslt_module /usr/lib/apache/1.3/mod_xslt.so
        #
        # <IfModule mod_xslt.c>
        #   <Location /xslt>
        #       AddHandler mod_xslt .html
        #       AddHandler mod_xslt .txt
        #   </Location>
        # </IfModule>
        #
        BeginGroupIfFileExists "/usr/lib/apache/1.3/mod_xslt.so"
            ResetSearch "1"
# bug!          UnCommentLinesMatching "^#[[:blank:]]*LoadModule[[:blank:]]+xslt_module[[:blank:]].*"
            LocateLineMatching "^#[[:blank:]]*LoadModule[[:blank:]]+xslt_module[[:blank:]]+/usr/lib/apache/1.3/mod_xslt.so$"
            ReplaceLineWith "LoadModule xslt_module /usr/lib/apache/1.3/mod_xslt.so"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "<IfModule mod_xslt.c>"
                InsertLine "<IfModule mod_xslt.c>"
                InsertLine "    <Location /xslt>"
                InsertLine "    </Location>"
                InsertLine "</IfModule>"
            EndGroup
            ResetSearch "1"
            LocateLineMatching "^# BEGIN CFENGINE$"
            LocateLineMatching "^<IfModule mod_xslt.c>$"
            LocateLineMatching "[[:blank:]]+<Location /xslt>"
            BeginGroupIfNoLineMatching "[[:blank:]]+AddHandler mod_xslt .html"
                InsertLine "        AddHandler mod_xslt .html"
                InsertLine "        AddHandler mod_xslt .txt"
            EndGroup
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        #
        # SSLCACertificatePath /etc/ssl/certs
        # SSLCACertificateFile /etc/ssl/certs/cacert.pem
        # SSLCertificateFile apache.pem
        # SSLCertificateKeyFile apache.pem
        #
        ResetSearch "1"
        HashCommentLinesMatching "SSLCACertificatePath*"
        CatchAbort
        BeginGroupIfFileExists "/etc/ssl/certs/cacert.pem"
            ResetSearch "1"
            HashCommentLinesMatching "SSLCACertificatePath*"
            CatchAbort
            ResetSearch "1"
            HashCommentLinesMatching "SSLCACertificateFile*"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "SSLCACertificatePath /etc/ssl/certs"
                InsertLine "SSLCACertificatePath /etc/ssl/certs"
                InsertLine "SSLCACertificateFile /etc/ssl/certs/cacert.pem"
            EndGroup
            ResetSearch "1"
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        BeginGroupIfFileExists "/etc/ssl/certs/apache.pem"
            ResetSearch "1"
            HashCommentLinesMatching "SSLCertificateFile*"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "SSLCertificateFile apache.pem"
                InsertLine "SSLCertificateFile apache.pem"
            EndGroup
            ResetSearch "1"
            UnsetAbort "^# END CFENGINE$"
        EndGroup
        BeginGroupIfFileExists "/etc/ssl/private/apache.pem"
            ResetSearch "1"
            HashCommentLinesMatching "SSLCertificateKeyFile*"
            CatchAbort
            AbortAtLineMatching "^# END CFENGINE$"
            LocateLineMatching "^# BEGIN CFENGINE$"
            BeginGroupIfNoSuchLine "SSLCertificateKeyFile apache.pem"
                InsertLine "SSLCertificateKeyFile apache.pem"
            EndGroup
            ResetSearch "1"
            UnsetAbort "^# END CFENGINE$"
        EndGroup
    }
processes:
    "apache_ssl"    restart "/etc/init.d/apache-ssl restart"
shellcommands:
    apache_reload::
    "/etc/init.d/apache-ssl force-reload"