apache2 #2

  • By hloeung
  • Latest version (#2)
  • precise
  • Stable
  • Edge

Description

The Apache Software Foundation's goal is to build a secure, efficient
and extensible HTTP server as standards-compliant open source
software. The result has long been the number one web server on the
Internet. It features support for HTTPS, virtual hosting, CGI, SSI,
IPv6, easy scripting and database integration, request/response
filtering, many flexible authentication schemes, and more.


Juju charm apache

The Apache Software Foundation's goal is to build a secure, efficient
and extensible HTTP server as standards-compliant open source
software. The result has long been the number one web server on the
Internet. It features support for HTTPS, virtual hosting, CGI, SSI,
IPv6, easy scripting and database integration, request/response
filtering, many flexible authentication schemes, and more.

How to deploy the charm

juju deploy apache2
juju set apache2 "vhost_http_template=$(base64 < vhost.tmpl)"
# and / or
juju set apache2 "vhost_https_template=$(base64 < vhost.tmpl)"
juju add-relation apache2:reverseproxy haproxy:website

Vhost templates

The charm expects a jinja2 template to be passed in. The variables in
the template should relate to the services that apache will be proxying
-- obviously no variables need to be specified if no proxying is needed.

The charm will create the service variable, with the unit_name, when
the reverseproxy relationship is joined and present this to the template
at which point the vhost will be generated from the template again.
All config settings are also available to the template.

For example to access squid then the {{ squid }} variable should be used.
This will be populated with the hostname:port of the squid service. The
individual hostname and port can also be accessed via squid_hostname and
squid_port.

Note: The service name should be used, not the charm name. If deploying
a charm with a different service name, use that instaed.

The joining charm may also set an all_services variable which contains
a list of services it provides in yaml format (list of associative arrays):

# ... in haproxy charm, website-relation-joined
relation-set all_services="
  - {service_name: gunicorn, service_port: 80}
  - {service_name: solr, service_port: 8080}
  - {service_name: my-webapp, service_port: 9090}
"

then variables for each service would be available to the jinja2 template
in _. In our example above
haproxy contains stanzas named gunicorn, solr and my-webapp. These are
accessed as {{ haproxy_gunicorn }}, {{ haproxy_solr }} and
{{ haproxy_mywebapp }} respectively. If any unsupported characters are in
your juju service name or the service names exposed through "all_services",
they will be stripped.

For example a vhost that will pass all traffic on to an haproxy instance:

<VirtualHost *:80>
    ServerName radiotiptop.org.uk

    CustomLog /var/log/apache2/radiotiptop-access.log combined
    ErrorLog /var/log/apache2/radiotiptop-error.log

    DocumentRoot /srv/radiotiptop/www/root

    ProxyRequests off
    <Proxy *>
        Order Allow,Deny
        Allow from All
        ErrorDocument 403 /offline.html
        ErrorDocument 500 /offline.html
        ErrorDocument 502 /offline.html
        ErrorDocument 503 /offline.html
    </Proxy>

    ProxyPreserveHost off
    ProxyPassReverse / http://{{ haproxy_gunicorn }}/

    RewriteEngine on

    RewriteRule ^/$ /index.html [L]
    RewriteRule ^/(.*)$ http://{{ haproxy_gunicorn }}/$1 [P,L]
</VirtualHost>

Certs, keys and chains

ssl_keylocation, ssl_certlocation and ssl_chainlocation are file names in the
charm /data directory. If found, they will be copied as follows:

  • /etc/ssl/private/
  • /etc/ssl/certs/
  • /etc/ssl/certs/

ssl_key and ssl_cert can also be specified which are are assumed to be
base64 encoded. If specified, they will be written to appropriate directories
given the values in ssl_keylocation and ssl_certlocation as listed above.

ssl_cert may also be set to SELFSIGNED, which will generate a certificate.
This, of course, is mostly useful for testing and staging purposes. The
generated certifcate/key will be placed according to ssl_certlocation and
ssl_keylocation as listed above.

{enable,disable}_modules

Space separated list of modules to be enabled or disabled. If a module to
be enabled cannot be found then the charm will attempt to install it.

TODO:

  • Document the use of balancer, nrpe, logging and website-cache
  • Method to deliver site content. This maybe by converting the charm to a
    subordinate and making it the master charms problem
  • Implement secure method for delivering key. Juju will likely need to provide
    this.
  • Tuning. No tuning options are present. Convert apache2.conf to a template
    and expose config options
  • Testing. I have only tested the relationship setup with 1 haproxy instance.
    Needs testing against multiple instances

Configuration

ssl_key
(string) base64 encoded server certificate key. If ssl_cert is specified as SELFSIGNED, this will be ignored.
logrotate_rotate
(string) daily, weekly, monthly, or yearly?
daily
logrotate_count
(int) The number of days we want to retain logs for
365
mpm_startservers
(int) Add desc
2
trace_enabled
(string) Security setting. Set to one of On Off extended
On
servername
(string) ServerName for vhost, defaults to the units public-address
mpm_threadsperchild
(int) Add desc
64
use_rsyslog
(boolean) Change logging behaviour to log both access and error logs via rsyslog
mpm_type
(string) worker or prefork
worker
lb_balancer_timeout
(int) How long the backends in mod_proxy_balancer will timeout, in seconds
60
mpm_serverlimit
(int) Add desc
128
mpm_maxrequestsperchild
(int) Add desc
vhost_https_template
(string) Apache vhost template (base64 encoded).
disable_modules
(string) List of modules to disable
status autoindex
nagios_check_http_params
(string) The parameters to pass to the nrpe plugin check_http.
server_tokens
(string) Security setting. Set to one of Full OS Minimal Minor Major Prod
OS
mpm_maxsparethreads
(int) Add desc
75
logrotate_dateext
(boolean) Use daily extension like YYYMMDD instead of simply adding a number
True
vhost_http_template
(string) Apache vhost template (base64 encoded).
enable_modules
(string) List of modules to enable
ssl_chain
(string) base64 encoded chain certificates file. If ssl_cert is specified as SELFSIGNED, this will be ignored.
ssl_certlocation
(string) Name and location of ssl certificate in charm/data directory. If not found, will ignore. Basename of this file will be used as the basename of the cert rooted at /etc/ssl/certs. Can be used in conjunction with the ssl_cert parameter to specify the cert as a configuration setting.
mpm_minsparethreads
(int) Add desc
25
ssl_cert
(string) base64 encoded server certificate. If the keyword 'SELFSIGNED' is used, the certificate and key will be autogenerated as self-signed.
ssl_keylocation
(string) Name and location of ssl keyfile in charm/data directory. If not found, will ignore. Basename of this file will be used as the basename of the key rooted at /etc/ssl/private. Can be used in conjuntion with the ssl_key parameter to specify the key as a configuration setting.
nagios_context
(string) Used by the nrpe-external-master subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-postgresql-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
config_change_command
(string) The command to run whenever config has changed. Accepted values are "reload" or "restart" - any other value will mean neither is executed after a config change (which may be desired, if you're running a production server and would rather handle these out of band). Note: some variables like the mpm settings require a restart to go into effect.
reload
mpm_maxclients
(int) Add desc
2048
server_signature
(string) Security setting. Set to one of On Off EMail
On
ssl_chainlocation
(string) Name and location of the ssl chain file. Basename of this file will be used as the basename of the chain file rooted at /etc/ssl/certs.
mpm_threadlimit
(int) Add desc
64