Per PCI-DSSv3 requirements: Disabled Apache TRACE, disabled Apache server signature, set Apache server tokens to Prod, disabled default Apache mods and configs, disabled Apache mod_status. Also did some code cleanup after testing with Ubuntu 14.04.2

Author: DevoKun

manifests/master.pp

@@ -58,50 +58,50 @@
 #  }
 #
 class puppet::master (
-  $user_id                      = undef,
-  $group_id                     = undef,
-  $modulepath                   = $::puppet::params::modulepath,
-  $manifest                     = $::puppet::params::manifest,
-  $external_nodes               = undef,
-  $node_terminus                = undef,
-  $hiera_config                 = $::puppet::params::hiera_config,
-  $environmentpath              = $::puppet::params::environmentpath,
-  $environments                 = $::puppet::params::environments,
-  $reports                      = store,
-  $storeconfigs                 = false,
-  $storeconfigs_dbserver        = $::puppet::params::storeconfigs_dbserver,
-  $storeconfigs_dbport          = $::puppet::params::storeconfigs_dbport,
-  $certname                     = $::fqdn,
-  $autosign                     = false,
-  $reporturl                    = undef,
-  $puppet_ssldir                = $::puppet::params::puppet_ssldir,
-  $puppet_docroot               = $::puppet::params::puppet_docroot,
-  $puppet_vardir                = $::puppet::params::puppet_vardir,
-  $puppet_passenger_port        = $::puppet::params::puppet_passenger_port,
-  $puppet_passenger_ssl_protocol = $::puppet::params::puppet_passenger_ssl_protocol
-  $puppet_passenger_ssl_cipher   = $::puppet::params::puppet_passenger_ssl_cipher
-  $puppet_passenger_tempdir     = false,
-  $puppet_passenger_cfg_addon   = '',
-  $puppet_master_package        = $::puppet::params::puppet_master_package,
-  $puppet_master_service        = $::puppet::params::puppet_master_service,
-  $version                      = 'present',
-  $apache_serveradmin           = $::puppet::params::apache_serveradmin,
-  $pluginsync                   = true,
-  $parser                       = $::puppet::params::parser,
-  $puppetdb_startup_timeout     = '60',
-  $puppetdb_strict_validation   = $::puppet::params::puppetdb_strict_validation,
-  $dns_alt_names                = ['puppet'],
-  $digest_algorithm             = $::puppet::params::digest_algorithm,
-  $generate_ssl_certs           = true,
-  $strict_variables             = undef,
-  $puppetdb_version             = 'present',
-  $always_cache_features        = false,
-  $passenger_max_pool_size      = $::processorcount,
-  $passenger_high_performance   = on,
-  $passenger_max_requests       = 10000,
-  $passenger_stat_throttle_rate = 30,
-  $serialization_format         = undef,
-  $serialization_package        = undef,
+  $user_id                       = undef,
+  $group_id                      = undef,
+  $modulepath                    = $::puppet::params::modulepath,
+  $manifest                      = $::puppet::params::manifest,
+  $external_nodes                = undef,
+  $node_terminus                 = undef,
+  $hiera_config                  = $::puppet::params::hiera_config,
+  $environmentpath               = $::puppet::params::environmentpath,
+  $environments                  = $::puppet::params::environments,
+  $reports                       = store,
+  $storeconfigs                  = false,
+  $storeconfigs_dbserver         = $::puppet::params::storeconfigs_dbserver,
+  $storeconfigs_dbport           = $::puppet::params::storeconfigs_dbport,
+  $certname                      = $::fqdn,
+  $autosign                      = false,
+  $reporturl                     = undef,
+  $puppet_ssldir                 = $::puppet::params::puppet_ssldir,
+  $puppet_docroot                = $::puppet::params::puppet_docroot,
+  $puppet_vardir                 = $::puppet::params::puppet_vardir,
+  $puppet_passenger_port         = $::puppet::params::puppet_passenger_port,
+  $puppet_passenger_ssl_protocol = $::puppet::params::puppet_passenger_ssl_protocol,
+  $puppet_passenger_ssl_cipher   = $::puppet::params::puppet_passenger_ssl_cipher,
+  $puppet_passenger_tempdir      = false,
+  $puppet_passenger_cfg_addon    = '',
+  $puppet_master_package         = $::puppet::params::puppet_master_package,
+  $puppet_master_service         = $::puppet::params::puppet_master_service,
+  $version                       = 'present',
+  $apache_serveradmin            = $::puppet::params::apache_serveradmin,
+  $pluginsync                    = true,
+  $parser                        = $::puppet::params::parser,
+  $puppetdb_startup_timeout      = '60',
+  $puppetdb_strict_validation    = $::puppet::params::puppetdb_strict_validation,
+  $dns_alt_names                 = ['puppet'],
+  $digest_algorithm              = $::puppet::params::digest_algorithm,
+  $generate_ssl_certs            = true,
+  $strict_variables              = undef,
+  $puppetdb_version              = 'present',
+  $always_cache_features         = false,
+  $passenger_max_pool_size       = $::processorcount,
+  $passenger_high_performance    = on,
+  $passenger_max_requests        = 10000,
+  $passenger_stat_throttle_rate  = 30,
+  $serialization_format          = undef,
+  $serialization_package         = undef,
 ) inherits puppet::params {
 
   anchor { 'puppet::master::begin': }
@@ -140,21 +140,23 @@
 
   Anchor['puppet::master::begin'] ->
   class {'puppet::passenger':
-    puppet_passenger_port        => $puppet_passenger_port,
-    puppet_docroot               => $puppet_docroot,
-    apache_serveradmin           => $apache_serveradmin,
-    puppet_conf                  => $::puppet::params::puppet_conf,
-    puppet_ssldir                => $puppet_ssldir,
-    certname                     => $certname,
-    conf_dir                     => $::puppet::params::confdir,
-    dns_alt_names                => join($dns_alt_names,','),
-    generate_ssl_certs           => $generate_ssl_certs,
-    puppet_passenger_tempdir     => $puppet_passenger_tempdir,
-    config_addon                 => $puppet_passenger_cfg_addon,
-    passenger_max_pool_size      => $passenger_max_pool_size,
-    passenger_high_performance   => $passenger_high_performance,
-    passenger_max_requests       => $passenger_max_requests,
-    passenger_stat_throttle_rate => $passenger_stat_throttle_rate,
+    puppet_passenger_port         => $puppet_passenger_port,
+    puppet_passenger_ssl_protocol => $puppet_passenger_ssl_protocol,
+    puppet_passenger_ssl_cipher   => $puppet_passenger_ssl_cipher,
+    puppet_docroot                => $puppet_docroot,
+    apache_serveradmin            => $apache_serveradmin,
+    puppet_conf                   => $::puppet::params::puppet_conf,
+    puppet_ssldir                 => $puppet_ssldir,
+    certname                      => $certname,
+    conf_dir                      => $::puppet::params::confdir,
+    dns_alt_names                 => join($dns_alt_names,','),
+    generate_ssl_certs            => $generate_ssl_certs,
+    puppet_passenger_tempdir      => $puppet_passenger_tempdir,
+    config_addon                  => $puppet_passenger_cfg_addon,
+    passenger_max_pool_size       => $passenger_max_pool_size,
+    passenger_high_performance    => $passenger_high_performance,
+    passenger_max_requests        => $passenger_max_requests,
+    passenger_stat_throttle_rate  => $passenger_stat_throttle_rate,
 
   } ->
   Anchor['puppet::master::end']

manifests/params.pp

@@ -35,10 +35,8 @@
   $classfile                        = '$statedir/classes.txt'
   $package_provider                 = undef # falls back to system default
 
-  $puppet_passenger_ssl_protocol    = 'TLSv1.2',
-  #$puppet_passenger_ssl_protocol   = 'ALL -SSLv2 -SSLv3',
+  $puppet_passenger_ssl_protocol    = 'TLSv1.2'
   $puppet_passenger_ssl_cipher      = 'AES256+EECDH:AES256+EDH'
-  #$puppet_passenger_ssl_cipher     = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK',
 
   # Only used when environments == directory
   $environmentpath                  = "${confdir}/environments"

manifests/passenger.pp

@@ -50,24 +50,31 @@
   $passenger_max_requests = 0,
   $passenger_stat_throttle_rate = 10,
 ){
-  #include apache
+
   class { 'apache':
+    default_mods        => false,
+    default_confd_files => false,
+    default_vhost       => false,
     server_tokens       => 'Prod',
     server_signature    => 'Off',
     trace_enable        => 'Off',
-  } ### class
+  }
+
+  apache::mod { 'access_compat': }
+  apache::mod { 'status': package_ensure => 'absent' }
+
   include puppet::params
   class { 'apache::mod::passenger':
     passenger_max_pool_size      => $passenger_max_pool_size,
     passenger_high_performance   => $passenger_high_performance,
     passenger_max_requests       => $passenger_max_requests,
     passenger_stat_throttle_rate => $passenger_stat_throttle_rate,
   }
-  #include apache::mod::ssl
-  apache::mod::ssl {
+
+  class { 'apache::mod::ssl':
     ssl_protocol => [$puppet_passenger_ssl_protocol],
     ssl_cipher   => $puppet_passenger_ssl_cipher,
-  } ### Apache::Mod::Ssl defaults
+  }
 
   if $::osfamily == 'redhat' {
     file { '/var/lib/puppet/reports':