the only way to fix the

ehaselwanter · ehaselwanter · commit 389949e478e9 · 2014-12-13T13:31:19.000+01:00
&lt;Directory /&gt;
  Options -Indexes -FollowSymLinks
  AllowOverride None
&lt;/Directory&gt;

from the original

&lt;Directory /&gt;
  Options Indexes
  AllowOverride None
&lt;/Directory&gt;

TelekomLabs-DCO-1.1-Signed-off-by: Edmund Haselwanter &lt;me@ehaselwanter.com&gt; (github: ehaselwanter)
diff --git a/manifests/puppetlabs_override.pp b/manifests/puppetlabs_override.pp
@@ -17,12 +17,12 @@
 
     $server_signature    = 'Off',
     $server_tokens       = 'Prod',
-    $trace_enable        = 'Off'
+    $trace_enable        = 'Off',
 
 ) inherits ::apache {
 
   File["${::apache::conf_dir}/${::apache::params::conf_file}"]{
-    content => template($::apache::params::conf_template),
+    content => template('apache_hardening/httpd.conf.erb'),
     mode   => '0640',
   }
 }
diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb
@@ -0,0 +1,116 @@
+# Security
+ServerTokens <%= @server_tokens %>
+ServerSignature <%= @server_signature %>
+TraceEnable <%= @trace_enable %>
+
+ServerName "<%= @servername %>"
+ServerRoot "<%= @server_root %>"
+PidFile <%= @pidfile %>
+Timeout <%= @timeout %>
+KeepAlive <%= @keepalive %>
+MaxKeepAliveRequests <%= @max_keepalive_requests %>
+KeepAliveTimeout <%= @keepalive_timeout %>
+
+User <%= @user %>
+Group <%= @group %>
+
+AccessFileName .htaccess
+<FilesMatch "^\.ht">
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+    Require all denied
+<%- else -%>
+     Order allow,deny
+     Deny from all
+     Satisfy all
+<%- end -%>
+</FilesMatch>
+
+<Directory />
+  Options -Indexes -FollowSymLinks
+  AllowOverride None
+</Directory>
+
+DefaultType none
+HostnameLookups Off
+ErrorLog "<%= @logroot %>/<%= @error_log %>"
+LogLevel <%= @log_level %>
+EnableSendfile <%= @sendfile %>
+<%- if @allow_encoded_slashes -%>
+AllowEncodedSlashes <%= @allow_encoded_slashes %>
+<%- end -%>
+
+#Listen 80
+
+<% if @apxs_workaround -%>
+# Workaround: without this hack apxs would be confused about where to put
+# LoadModule directives and fail entire procedure of apache package
+# installation/reinstallation. This problem was observed on FreeBSD (apache22).
+#LoadModule fake_module libexec/apache22/mod_fake.so
+<% end -%>
+
+Include "<%= @mod_load_dir %>/*.load"
+<% if @mod_load_dir != @confd_dir and @mod_load_dir != @vhost_load_dir -%>
+Include "<%= @mod_load_dir %>/*.conf"
+<% end -%>
+Include "<%= @ports_file %>"
+
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+<% if @log_formats and !@log_formats.empty? -%>
+  <%- @log_formats.sort.each do |nickname,format| -%>
+LogFormat "<%= format -%>" <%= nickname %>
+  <%- end -%>
+<% end -%>
+
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+IncludeOptional "<%= @confd_dir %>/*.conf"
+<%- else -%>
+Include "<%= @confd_dir %>/*.conf"
+<%- end -%>
+<% if @vhost_load_dir != @confd_dir -%>
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+IncludeOptional "<%= @vhost_load_dir %>/*"
+<%- else -%>
+Include "<%= @vhost_load_dir %>/*"
+<%- end -%>
+<% end -%>
+
+<% if @error_documents -%>
+# /usr/share/apache2/error on debian
+Alias /error/ "<%= @error_documents_path %>/"
+
+<Directory "<%= @error_documents_path %>">
+  AllowOverride None
+  Options IncludesNoExec
+  AddOutputFilter Includes html
+  AddHandler type-map var
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+  Require all granted
+<%- else -%>
+  Order allow,deny
+  Allow from all
+<%- end -%>
+  LanguagePriority en cs de es fr it nl sv pt-br ro
+  ForceLanguagePriority Prefer Fallback
+</Directory>
+
+ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /error/HTTP_GONE.html.var
+ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+<% end -%>

Original file line number	Diff line number	Diff line change
`@@ -17,12 +17,12 @@`
`17`	`17`
`18`	`18`	`$server_signature = 'Off',`
`19`	`19`	`$server_tokens = 'Prod',`
`20`		`- $trace_enable = 'Off'`
	`20`	`+ $trace_enable = 'Off',`
`21`	`21`
`22`	`22`	`) inherits ::apache {`
`23`	`23`
`24`	`24`	`File["${::apache::conf_dir}/${::apache::params::conf_file}"]{`
`25`		`- content => template($::apache::params::conf_template),`
	`25`	`+ content => template('apache_hardening/httpd.conf.erb'),`
`26`	`26`	`mode => '0640',`
`27`	`27`	`}`
`28`	`28`	`}`