try managing suhosin with puppet
authorStephen Gran <steve@lobefin.net>
Sat, 20 Feb 2010 12:39:14 +0000 (12:39 +0000)
committerStephen Gran <steve@lobefin.net>
Sat, 20 Feb 2010 12:39:14 +0000 (12:39 +0000)
Signed-off-by: Stephen Gran <steve@lobefin.net>
modules/apache2/files/common/etc/php5/conf.d/suhosin.ini [new file with mode: 0644]
modules/apache2/manifests/init.pp

diff --git a/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini b/modules/apache2/files/common/etc/php5/conf.d/suhosin.ini
new file mode 100644 (file)
index 0000000..46376f7
--- /dev/null
@@ -0,0 +1,94 @@
+; configuration for php suhosin module
+extension=suhosin.so
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+; the following values are the internal default settings and set implicit
+; feel free to modify to your needs
+
+[suhosin]
+; Logging Configuration
+;suhosin.log.syslog.facility = 9
+;suhosin.log.syslog.priority = 1
+;suhosin.log.script = 0
+;suhosin.log.phpscript = 0
+;suhosin.log.script.name =
+;suhosin.log.phpscript.name =
+;suhosin.log.use-x-forwarded-for = off
+
+; Executor Options
+;suhosin.executor.max_depth = 0
+;suhosin.executor.include.max_traversal = 0
+;suhosin.executor.include.whitelist =
+;suhosin.executor.include.blacklist =
+;suhosin.executor.func.whitelist =
+;suhosin.executor.func.blacklist =
+;suhosin.executor.eval.whitelist =
+;suhosin.executor.eval.blacklist =
+;suhosin.executor.disable_emodifier = off
+;suhosin.executor.allow_symlink = off
+
+; Misc Options
+;suhosin.simulation = off
+;suhosin.apc_bug_workaround = off
+;suhosin.sql.bailout_on_error = off
+;suhosin.sql.user_prefix =
+;suhosin.sql.user_postfix =
+;suhosin.multiheader = off
+;suhosin.mail.protect = 0
+;suhosin.memory_limit = 0
+
+; Transparent Encryption Options
+;suhosin.session.encrypt = on
+;suhosin.session.cryptkey =
+;suhosin.session.cryptua = on
+;suhosin.session.cryptdocroot = on
+;suhosin.session.cryptraddr = 0
+;suhosin.session.checkraddr = 0
+;suhosin.cookie.encrypt = on
+;suhosin.cookie.cryptkey =
+;suhosin.cookie.cryptua = on
+;suhosin.cookie.cryptdocroot = on
+;suhosin.cookie.cryptraddr = 0
+;suhosin.cookie.checkraddr = 0
+;suhosin.cookie.cryptlist =
+;suhosin.cookie.plainlist =
+
+; Filtering Options
+;suhosin.filter.action =
+;suhosin.cookie.max_array_depth = 100
+;suhosin.cookie.max_array_index_length = 64
+;suhosin.cookie.max_name_length = 64
+;suhosin.cookie.max_totalname_length = 256
+;suhosin.cookie.max_value_length = 10000
+;suhosin.cookie.max_vars = 100
+;suhosin.cookie.disallow_nul = on
+;suhosin.get.max_array_depth = 50
+;suhosin.get.max_array_index_length = 64
+;suhosin.get.max_name_length = 64
+;suhosin.get.max_totalname_length = 256
+suhosin.get.max_value_length = 4096
+;suhosin.get.max_vars = 100
+;suhosin.get.disallow_nul = on
+;suhosin.post.max_array_depth = 100
+;suhosin.post.max_array_index_length = 64
+;suhosin.post.max_name_length = 64
+;suhosin.post.max_totalname_length = 256
+;suhosin.post.max_value_length = 65000
+;suhosin.post.max_vars = 200
+;suhosin.post.disallow_nul = on
+;suhosin.request.max_array_depth = 100
+;suhosin.request.max_array_index_length = 64
+;suhosin.request.max_totalname_length = 256
+;suhosin.request.max_value_length = 65000
+;suhosin.request.max_vars = 200
+;suhosin.request.max_varname_length = 64
+;suhosin.request.disallow_nul = on
+;suhosin.upload.max_uploads = 25
+;suhosin.upload.disallow_elf = on
+;suhosin.upload.disallow_binary = off
+;suhosin.upload.remove_binary = off
+;suhosin.upload.verification_script =
+;suhosin.session.max_id_length = 128
+
index dc8c66c..9c5481c 100644 (file)
@@ -58,6 +58,16 @@ class apache2 {
                 "000-default": ensure => absent;
         }
 
+        case $php5suhosin {
+                "true": { file { "/etc/php5/conf.d/suhosin.ini":
+                                       source  => [ "puppet:///apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
+                                                    "puppet:///apache2/common/etc/php5/conf.d/suhosin.ini" ],
+                                       require => Package["apache2", "php5-suhosin"],
+                                        notify  => Exec["force-reload-apache2"];
+                               }
+                 }
+        }
+
        file {
                "/etc/apache2/conf.d/ressource-limits":
                        content => template("apache2/ressource-limits.erb"),