Alexandros Kosiaris has submitted this change and it was merged.
Change subject: icinga: Bring the web part up to 2.4 standards
......................................................................
icinga: Bring the web part up to 2.4 standards
Disable mod_access_compat and guard the pre 2.4 apache parts of the
configuration with IfVersion statements
Change-Id: I1cf33c3134060daf998fc12363ec61f43f389855
---
M modules/icinga/manifests/web.pp
M modules/icinga/templates/icinga.wikimedia.org.erb
2 files changed, 21 insertions(+), 4 deletions(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
diff --git a/modules/icinga/manifests/web.pp b/modules/icinga/manifests/web.pp
index 8644bf7..634a451 100644
--- a/modules/icinga/manifests/web.pp
+++ b/modules/icinga/manifests/web.pp
@@ -14,6 +14,10 @@
include ::apache::mod::ssl
include ::apache::mod::headers
include ::apache::mod::cgi
+ # Disable access_compat module on Debian >= Jessie
+ if os_version('debian >= jessie') {
+ apache::mod_conf { 'access_compat': ensure => absent }
+ }
ferm::service { 'icinga-https':
proto => 'tcp',
diff --git a/modules/icinga/templates/icinga.wikimedia.org.erb
b/modules/icinga/templates/icinga.wikimedia.org.erb
index 4af43b7..9e8aacb 100644
--- a/modules/icinga/templates/icinga.wikimedia.org.erb
+++ b/modules/icinga/templates/icinga.wikimedia.org.erb
@@ -34,11 +34,17 @@
Options ExecCGI
DirectoryIndex index.html
AllowOverride None
+ <IfVersion < 2.4>
Order Deny,Allow
+ Deny from All
+ Satisfy Any
+ </IfVersion>
+
# We monitor icinga externally allowing access
# to only the extinfo.cgi file.
<Files extinfo.cgi>
+ <IfVersion < 2.4>
Deny from All
Allow from 81.25.198.18
Allow from 38.104.3.42
@@ -46,9 +52,17 @@
Allow from 38.122.67.74
Allow from 85.17.12.81
Allow from 85.17.12.83
- </Files>
-
- Deny from All
+ </IfVersion>
+ <IfVersion >= 2.4>
+ AuthMerging Or
+ Require ip 81.25.198.18
+ Require ip 38.104.3.42
+ Require ip 4.31.195.94
+ Require ip 38.122.67.74
+ Require ip 85.17.12.81
+ Require ip 85.17.12.83
+ </IfVersion>
+ </Files>
AuthName "WMF Labs (use wiki login name not shell) - nda/ops/wmf"
AuthType Basic
AuthBasicProvider ldap
@@ -58,7 +72,6 @@
Require ldap-group cn=ops,ou=groups,dc=wikimedia,dc=org
Require ldap-group cn=wmf,ou=groups,dc=wikimedia,dc=org
Require ldap-group cn=nda,ou=groups,dc=wikimedia,dc=org
- Satisfy Any
</DirectoryMatch>
<IfModule !mod_alias.c>
--
To view, visit https://gerrit.wikimedia.org/r/316814
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I1cf33c3134060daf998fc12363ec61f43f389855
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
