From df182227f694e0fc2dceb6cc0f5b67847df84423 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Wed, 20 Nov 2024 11:37:15 -1000 Subject: [PATCH] Allow configuring RemoteIPProxyProtocol at VHost level The module currently support configuring RemoteIP PROXY Protocol at the system level, but the settings can also be used for specific virtual hosts. Allow to set `RemoteIPProxyProtocol` and `RemoteIPProxyProtocolExceptions` at the VHost level. For cosistency, une the same parameter names and types as the ones used for mod_remoteip configuration. --- manifests/vhost.pp | 22 ++++++++++++++++++++++ spec/defines/vhost_spec.rb | 11 ++++++++++- templates/vhost/_proxy_protocol.epp | 8 ++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 templates/vhost/_proxy_protocol.epp diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 7414a6f16..9f95aecbb 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1705,6 +1705,11 @@ # @param userdir # Instances of apache::mod::userdir # +# @param proxy_protocol +# Enable or disable PROXY protocol handling +# +# @param proxy_protocol_exceptions +# Disable processing of PROXY header for certain hosts or networks define apache::vhost ( Variant[Stdlib::Absolutepath, Boolean] $docroot, Boolean $manage_docroot = true, @@ -1966,6 +1971,8 @@ Apache::OIDCSettings $oidc_settings = {}, Optional[Variant[Boolean, String]] $mdomain = undef, Optional[Variant[String[1], Array[String[1]]]] $userdir = undef, + Optional[Boolean] $proxy_protocol = undef, + Array[Stdlib::Host] $proxy_protocol_exceptions = [], ) { # The base class must be included first because it is used by parameter defaults if ! defined(Class['apache']) { @@ -2955,6 +2962,21 @@ } } + if $proxy_protocol != undef { + include apache::mod::remoteip + + $proxy_protocol_params = { + proxy_protocol => $proxy_protocol, + proxy_protocol_exceptions => $proxy_protocol_exceptions, + } + + concat::fragment { "${name}-proxy_protocol": + target => "${priority_real}${filename}.conf", + order => 400, + content => epp('apache/vhost/_proxy_protocol.epp', $proxy_protocol_params), + } + } + $file_footer_params = { 'define' => $define, 'passenger_pre_start' => $passenger_pre_start, diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index f448b8ca5..b80fd61b0 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -551,7 +551,9 @@ 'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8', 'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' }, 'mdomain' => 'example.com example.net auto', - 'userdir' => 'disabled' + 'userdir' => 'disabled', + 'proxy_protocol' => true, + 'proxy_protocol_exceptions' => ['127.0.0.1', '10.0.0.0/8'], } end @@ -968,6 +970,13 @@ content: %r{^MDomain example\.com example\.net auto$}, ) } + + it { + expect(subject).to contain_concat__fragment('rspec.example.com-proxy_protocol') + .with_content(%r{^\s+RemoteIPProxyProtocol On$}) + .with_content(%r{^\s+RemoteIPProxyProtocolExceptions 127\.0\.0\.1$}) + .with_content(%r{^\s+RemoteIPProxyProtocolExceptions 10\.0\.0\.0/8$}) + } end context 'vhost with proxy_add_headers true' do diff --git a/templates/vhost/_proxy_protocol.epp b/templates/vhost/_proxy_protocol.epp new file mode 100644 index 000000000..d022f74c5 --- /dev/null +++ b/templates/vhost/_proxy_protocol.epp @@ -0,0 +1,8 @@ +<%- | + Boolean $proxy_protocol, + Array[Stdlib::Host] $proxy_protocol_exceptions, +| -%> + RemoteIPProxyProtocol <%= apache::bool2httpd($proxy_protocol) %> +<% $proxy_protocol_exceptions.each |$exception| { -%> + RemoteIPProxyProtocolExceptions <%= $exception %> +<% } -%>