This is a wrapper around Apache
and Apache::Vhost
from
puppetlabs/apache that adds SSL
and Kerberos compatible with FreeIPA.
- Description
- Setup
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
This wrapper installs the required Apache2 modules for authentication using Kerberos and SSSD, so it also respects HBAC rules defined in FreeIPA.
For a vhost, it enables Kerberos based authentication for its document root and sets up its configuration with an SSL certificate retrieved from your FreeIPA server. Both options can be disabled.
- Apache configuration: enables modules
- Apache vhosts: adds 1 http and optionally 1 https vhost
- PAM configuration: adds new config file in
/etc/pam.d/
- File system: creates document root directory
You should set up a Kerberos principal in FreeIPA and retrieve both an SSL key
and accompanying certificate for your host. Also, retrieve the ticket for your
principal and store it in a keytab accessible by apache, e.g. in
/etc/apache2/krb5_keytab
.
You will need to install and set up apache separately, maybe with puppetlabs/apache.
Configuring your webserver for Kerberos auth is easy:
class {'::webserver': }
This will install required packages and enable mod_authnz_pam
and
mod_auth_kerb
. Also, it will create a new pam configuration for web access
that requires SSSD for authorization.
Setting up a new vhost:
webserver::vhost {'awesome_vhost':
$vhost_name = $::facts['fqdn'],
$docroot = "/var/www/${vhost_name}/html",
$ssl = true,
$kerberos = true,
$web_user = 'www-data',
$default_vhost = false,
$ssl_cert_filename = "/etc/apache2/ssl/${vhost_name}.crt.crt",
$ssl_key_filename = "/etc/apache2/ssl/${vhost_name}.crt.key",
$krb_auth_realm = undef,
$krb_5keytab = undef,
$krb_servicename = 'http'
}
Those are the default settings, obviously you need to override them with your
customizations. Especially make sure to set the correct values to $krb5_*
.
Enables mod_auth_kerb
and mod_authnz_pam
, create a PAM configuration file
that requires SSSD.
- This class has no configuration settings
Create a new apache virtual host. This will create a $docroot
directory owned
by $web_user
. If $ssl
is set to true, additionally to a https
vhost it
will create a http
vhost redirecting to https
automatically.
vhost_name
: Hostname the vhost uses, i.e.ServerName
in apachedocroot
: directory static files will be served fromssl
: bool use SSL?kerberos
: bool require Kerberos?web_user
: usernamedocroot
will belong todefault_vhost
: bool is this the default apache vhost?ssl_cert_filename
: Path to SSL certificatessl_key_filename
: Path to SSL private keykrb_auth_realm
: optional ifkerberos
isfalse
name of your kerberos realmkrb_5keytab
: optinal ifkerberos
isfalse
path to kerberos keytab file accessible by apachekrb_servicename
optional ifkerberos
isfalse
name of your kerberos service name you set up in FreeIPA
Currently this is a limited wrapper around vhost creation, i.e. it will not pass
through additional apache vhost settings to the module it wraps. You may,
however, access that instance of Apache::Vhost
using the regular puppet syntax
of Apache::Vhost[your.vhost.here]
.