apache2 subordinate #3

Description

Apache2 subordinate charm

Juju apache2-subordinate charm

The apache2-subordinate charm relates to a primary web service charm
and exposes its code or content to the world over HTTP/HTTPS.
This means that your site is the primary service,
and other Web server subordinates can be substituted for this one
if they use the same relation data.

How to deploy the charm

Assuming you have a copy of the apache2-subordinate charm
in ./charms/$distrocodename/apache2-subordinate,
and that you want to use it to expose a wordpress service:

juju deploy --repository=charms local:apache2-subordinate
juju add-relation wordpress apache2-subordinate

Using the webservice relation

The primary relation used by the apache2-subordinate charm
is the webservice relation.
The charm requires the services variable to be set in the relation data.
The services variable must be a list of dictionaries,
each describing the parameters for a virtual host.

Please note that all data in these dictionaries
will be passed as strings by juju,
and the apache2-subordinate charm will decode the data into python objects.

Vhost definition dictionary supports the following keys:

  • url - scheme://hostname:port

    For example: http://myblog.me.com:80.

    If https is used the charm will either deploy SSL certificates
    or if they are not available it will create self signed keypair.
    Currently only http and https are supported.

  • type - vhost type.

    Currently only php is supported.

  • document_root

  • extra_packages (optional)

    List of extra packages the vhost requires.

    For example: ["php5_mysql", "php5_curl"]

  • webserver_options (optional)

    List of options specific to the web server subordinate.

    For example: ["mod_rewrite", "-serve-cgi-bin.conf", "+mod_status"]

  • redirects (optional)

    List of redirects.

    For example:

    [
        {"match": "/wp-admin",
         "target": "https://mysite.example.com/wp-admin"},
        {"match": "/wp-login.php",
         "target": "https://mysite.example.com/wp-login.php"}
    ]
    
  • redirect_match (optional)

    List of redirect match entries.

    For example:

    [
        {"match": "(.*).gif$",
         "target": "https://mysite.example.com$1.jpg",
         "type": "permanent"}
    ]
    
  • proxy (optional)

    List of proxy urls and targets.

    For example:

    [
        {"match": "/media/",
         "proxy_target": "http://media.example.com/"},
    ]
    
  • vhost_options (optional)

    List of dictionary mapping Apache directives to their parameters.
    This is intended as a bit of a back channel
    for charms that explicitly know their Web server subordinate is Apache.

    For example:

    [{'Header': 'append Vary "Cookie"'}]
    

Example Relation Data

Putting all the pieces together,
a Wordpress installation might look something like the following:

[
    {
        "url": "http://mysite.example.com:8080",
        "type": "php",
        "document_root": "/srv/mysite.example.com",
        "extra_packages": ["php_mysql"],
        "redirects": [
            {"match": "/wp-admin", "target": "https://mysite.example.com/wp-admin"},
            {"match": "/wp-login.php", "target": "https://mysite.example.com/wp-login.php"}
        ],
        "proxy": [
            {"match": "/media/", "proxy_target": "http://media.example.com/"}
        ],
        "webserver_options": ["mod_rewrite", "mod_headers"],
        "vhost_options": [{'Header': 'append Vary "Cookie"'}],
    },
    {
        "url": "https://mysite.example.com:443",
        "type": "php",
        "document_root": "/srv/mysite.example.com",
        "extra_packages": ["php_mysql"],
        "webserver_options": ["mod_headers"],
        "vhost_options": [{'Header': 'append Vary "Cookie"'}],
    }
]

TODO

  • Add support for wsgi vhosts
    • Use document_root to specify wsgi script, or a new path variable?
  • Improve support for static content vhosts?
    • What's missing, currently?

Configuration

ssl_key
(string) SSL key in base64
mpm_auto_tuning
(boolean) Automatically tune mpm per host CPU & RAM
True
ssl_chain
(string) SSL chain bundle in bas64
trace_enabled
(string) Security setting. Set to one of On Off extended
Off
ssl_protocol
(string) SSL Protocols to enable.
ALL -SSLv2 -SSLv3
mpm_type
(string) The name of the apache-mpm-* package to install. Note that if the relation type of the primary charm is PHP, prefork will be used no matter what this is set to.
worker
mpm_min_spare_servers
(int) Minimum number of server processes which are kept spare. Used by prefork only. Ignored if mpm_auto_tuning is True.
5
mpm_max_spare_servers
(int) Maximum number of server processes which are kept spare. Used by prefork only. Ignored if mpm_auto_tuning is True.
10
mpm_min_spare_threads
(int) Minimum number of worker threads which are kept spare. Used by worker only. Ignored if mpm_auto_tuning is True.
25
ssl_honor_cipher_order
(boolean) Enable server cipher suite preference.
True
server_tokens
(string) Controls how the server product name is announced. Set to one of - Full OS Minimal Minor Major ProductOnly
OS
logrotate_dateext
(boolean) If set to True (default) logrotate will append date to each rotated file
True
logrotate_retention
(int) Number of (daily rotated) logs to keep on disk
60
mpm_max_spare_threads
(int) Maximum number of worker threads which are kept spare. Used by worker only. Ignored if mpm_auto_tuning is True.
75
mpm_start_servers
(int) Number of server processes to start. Used by prefork and worker. Ignored if mpm_auto_tuning is True.
5
mpm_max_requests_per_child
(int) Used by prefork and worker. Ignored if mpm_auto_tuning is True.
mpm_threads_per_child
(int) Constant number of worker threads in each server process. Used by worker only. Ignored if mpm_auto_tuning is True.
64
ssl_certificate
(string) SSL certificate in base64
mpm_server_limit
(int) Upper limit on configurable number of processes. Used by prefork only. Ignored if mpm_auto_tuning is True.
128
ssl_cipher_suite
(string) List of server cipher suites.
EECDH+AESGCM+AES128:EDH+AESGCM+AES128:EECDH+AES128:EDH+AES128:ECDH+AESGCM+AES128:aRSA+AESGCM+AES128:ECDH+AES128:DH+AES128:aRSA+AES128:EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:ECDH+AESGCM:aRSA+AESGCM:ECDH:DH:aRSA:HIGH:!MEDIUM:!aNULL:!NULL:!LOW:!3DES:!DSS:!EXP:!PSK:!SRP
server_signature
(string) Security setting. Set to one of On Off EMail
On
mpm_thread_limit
(int) Sets the upper limit on the configurable number of threads per child process. Used by worker only. Ignored if mpm_auto_tuning is True.
64
mpm_max_clients
(int) Used by prefork and worker. Ignored if mpm_auto_tuning is True.
2048