From b1f108ab5693765a9a08781120a88c44e0fd9948 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Wed, 8 Jan 2025 14:11:53 -1000 Subject: [PATCH] Allow to use the same domain multiple times with mod_md When using mod_md to manage TLS certificates, a domain can only appear once as a parameter of a MDomain configuration. When a single node configue multiple Virtual Hosts to serve the same website on different IP Addresses or on different ports, and we want to use mod_md to manage the TLS certificate, the current code produce a MDomain entry in each virtual host, leading to configuration error and preventing apache from starting. This commit rework how the MDomain setting is emitted, and ensure it is only output once even if multiple Virtual Hosts configure the same domain. --- manifests/vhost.pp | 14 +++++++++++++- spec/defines/vhost_spec.rb | 4 ++-- templates/mdomain.epp | 11 +++++++++++ templates/vhost/_file_header.epp | 9 --------- 4 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 templates/mdomain.epp diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 9f95aecbb4..433e2812b3 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -2239,7 +2239,6 @@ $file_header_params = { 'comment' => $comment, 'nvh_addr_port' => $nvh_addr_port, - 'mdomain' => $mdomain, 'servername' => $servername, 'define' => $define, 'protocols' => $protocols, @@ -2257,6 +2256,19 @@ content => epp('apache/vhost/_file_header.epp', $file_header_params), } + if $mdomain { + # Multiple VHosts can configure the same domain on different ports. + # Apache will fail if multile MDomain directive are set, so ensure we define it only for the first virutal host of each domain. + ensure_resource('file', "${servername}-mod_md", { + ensure => file, + path => "${apache::confd_dir}/mdomain-${servername}.conf", + mode => $apache::file_mode, + content => epp('apache/mdomain.epp', { mdomain => $mdomain, servername => $servername }), + require => File[$apache::confd_dir], + notify => Class['apache::service'], + }) + } + if $docroot and $ensure == 'present' { if $virtual_docroot { include apache::mod::vhost_alias diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index b80fd61b0e..41cc8dedee 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -966,7 +966,7 @@ it { is_expected.to contain_class('apache::mod::md') } it { - expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + expect(subject).to contain_file('example.com-mod_md').with( content: %r{^MDomain example\.com example\.net auto$}, ) } @@ -2166,7 +2166,7 @@ end it { - expect(subject).to contain_concat__fragment('rspec.example.com-apache-header').with( + expect(subject).to contain_file('rspec.example.com-mod_md').with( content: %r{^MDomain rspec.example.com$}, ) } diff --git a/templates/mdomain.epp b/templates/mdomain.epp new file mode 100644 index 0000000000..55c7b2086b --- /dev/null +++ b/templates/mdomain.epp @@ -0,0 +1,11 @@ +<%- | + Variant[Boolean, String[1]] $mdomain, + String[1] $servername, +| -%> +<%- if $mdomain { -%> + <%- if $mdomain =~ String { -%> +MDomain <%= $mdomain %> + <%-} else {-%> +MDomain <%= $servername %> + <%- } -%> +<% } -%> diff --git a/templates/vhost/_file_header.epp b/templates/vhost/_file_header.epp index 0958130b9c..ecbd813dc5 100644 --- a/templates/vhost/_file_header.epp +++ b/templates/vhost/_file_header.epp @@ -3,15 +3,6 @@ # Managed by Puppet # ************************************ <%= [$comment].flatten.map |$c| { "# ${c}" }.join("\n") -%> -<%- if $mdomain { -%> - - <%- if $mdomain =~ String { -%> - -MDomain <%= $mdomain %> - <%-} else {-%> -MDomain <%= $servername %> - <%- } -%> -<% } -%> > <% $define.each | $k, $v| { -%>