-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finish conversion to EPP templates #2545
base: main
Are you sure you want to change the base?
Changes from 1 commit
ae3632a
b2b0350
e3320a5
ce29022
adb5b1a
14f2189
7c48bce
6d15dbe
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
A lot of work was done to convert the module templates form ERB to EPP, but a few templates where still to be converted. Along with various benefits, EPP templates offer better detection for access to undefined variables. This refactoring therefore fix a few issues that where reported while converting. Also a bunch of outdated comments about which template use which variable where removed no that this usage is explicit. The extensive test suite helped ensure the conversion was not introducing regressions.
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -316,49 +316,30 @@ | |||||
} | ||||||
|
||||||
if $manage_security_crs { | ||||||
# Template uses: | ||||||
# - $_secdefaultaction | ||||||
# - $critical_anomaly_score | ||||||
# - $error_anomaly_score | ||||||
# - $warning_anomaly_score | ||||||
# - $notice_anomaly_score | ||||||
# - $inbound_anomaly_threshold | ||||||
# - $outbound_anomaly_threshold | ||||||
# - $paranoia_level | ||||||
# - $executing_paranoia_level | ||||||
# - $allowed_methods | ||||||
# - $content_types | ||||||
# - $restricted_extensions | ||||||
# - $restricted_headers | ||||||
# - $secrequestmaxnumargs | ||||||
# - $enable_dos_protection | ||||||
# - $dos_burst_time_slice | ||||||
# - $dos_counter_threshold | ||||||
# - $dos_block_timeout | ||||||
$security_crs_parameters = { | ||||||
'_secdefaultaction' => $_secdefaultaction, | ||||||
'critical_anomaly_score' => $critical_anomaly_score, | ||||||
'error_anomaly_score' => $error_anomaly_score, | ||||||
'warning_anomaly_score' => $warning_anomaly_score, | ||||||
'notice_anomaly_score' => $notice_anomaly_score, | ||||||
'inbound_anomaly_threshold' => $inbound_anomaly_threshold, | ||||||
'outbound_anomaly_threshold' => $outbound_anomaly_threshold, | ||||||
'secrequestmaxnumargs' => $secrequestmaxnumargs, | ||||||
'allowed_methods' => $allowed_methods, | ||||||
'content_types' => $content_types, | ||||||
'restricted_extensions' => $restricted_extensions, | ||||||
'restricted_headers' => $restricted_headers, | ||||||
'paranoia_level' => $paranoia_level, | ||||||
'executing_paranoia_level' => $executing_paranoia_level, | ||||||
'enable_dos_protection' => $enable_dos_protection, | ||||||
'dos_burst_time_slice' => $dos_burst_time_slice, | ||||||
'dos_counter_threshold' => $dos_counter_threshold, | ||||||
'dos_block_timeout' => $dos_block_timeout, | ||||||
'_secdefaultaction' => $_secdefaultaction, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we shouldn't pass arguments prefixed with
Suggested change
I know other places do this wrong now, so I'd be OK with leaving that for later. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I decided to go this way in order to limit the changes to just ERB -> EPP. IMHO, we should pass So for now, my proposal is to keep it that way. |
||||||
'critical_anomaly_score' => $critical_anomaly_score, | ||||||
'error_anomaly_score' => $error_anomaly_score, | ||||||
'warning_anomaly_score' => $warning_anomaly_score, | ||||||
'notice_anomaly_score' => $notice_anomaly_score, | ||||||
'inbound_anomaly_threshold' => $inbound_anomaly_threshold, | ||||||
'outbound_anomaly_threshold' => $outbound_anomaly_threshold, | ||||||
'secrequestmaxnumargs' => $secrequestmaxnumargs, | ||||||
'allowed_methods' => $allowed_methods, | ||||||
'content_types' => $content_types, | ||||||
'restricted_extensions' => $restricted_extensions, | ||||||
'restricted_headers' => $restricted_headers, | ||||||
'paranoia_level' => $paranoia_level, | ||||||
'executing_paranoia_level' => $executing_paranoia_level, | ||||||
'enable_dos_protection' => $enable_dos_protection, | ||||||
'dos_burst_time_slice' => $dos_burst_time_slice, | ||||||
'dos_counter_threshold' => $dos_counter_threshold, | ||||||
'dos_block_timeout' => $dos_block_timeout, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For CRS2, the The following additional line in this block fixed it for me.
The rule is only ever looking for the lowercase string of |
||||||
} | ||||||
|
||||||
file { "${modsec_dir}/security_crs.conf": | ||||||
ensure => file, | ||||||
content => template('apache/mod/security_crs.conf.erb'), | ||||||
content => epp('apache/mod/security_crs.conf.epp', $security_crs_parameters), | ||||||
require => File[$modsec_dir], | ||||||
notify => Class['apache::service'], | ||||||
} | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change should be backwards-compatible. See related commit 675fb82 for details.