Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_secure_proxy directive causes kitchen converge to fail #48

Open
silverl opened this issue May 17, 2017 · 5 comments
Open

mod_secure_proxy directive causes kitchen converge to fail #48

silverl opened this issue May 17, 2017 · 5 comments

Comments

@silverl
Copy link

silverl commented May 17, 2017

I have a very simple Policyfile which does nothing but include mod_security. Running kitchen converge works fine, builds up a CentOS box no problem. (Windows host, Vagrant).

When I follow your readme.md example and try to add a mod_secure_proxy directive, the kitchen converge fails.

The log states:

================================================================================
Error executing action `create` on resource 'template[/etc/httpd/sites-available/mytest.conf]'
================================================================================

Chef::Exceptions::FileNotFound
------------------------------
Cookbook 'mytest_aws_waf' (0.1.0) does not contain a file at any of these locations:
  templates/centos-7.3.1611/mod_secure_proxy.conf.erb
  templates/centos/mod_secure_proxy.conf.erb
  templates/default/mod_secure_proxy.conf.erb
  templates/mod_secure_proxy.conf.erb

Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/apache2/definitions/web_app.rb

 28:   template "#{node['apache']['dir']}/sites-available/#{application_name}.conf" do
 29:     source params[:template]
 30:     local params[:local]
 31:     owner 'root'
 32:     group node['apache']['root_group']
 33:     mode '0644'
 34:     cookbook params[:cookbook] if params[:cookbook]
 35:     variables(
 36:       application_name: application_name,
 37:       params: params
 38:     )
 39:     if ::File.exist?("#{node['apache']['dir']}/sites-enabled/#{application_name}.conf")
 40:       notifies :reload, 'service[apache2]', :delayed
 41:     end
 42:   end

Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/apache2/definitions/web_app.rb:28:in `block in from_file'

template("/etc/httpd/sites-available/mytest.conf") do
  params {:template=>"mod_secure_proxy.conf.erb", :local=>false, :enable=>true, :server_port=>80, :server_name=>"www.mytest.com", :server_aliases=>nil, :enable_https=>true, :name=>"mytest"}
  action [:create]
  default_guard_interpreter :default
  source "mod_secure_proxy.conf.erb"
  variables {:application_name=>"mytest", :params=>{:template=>"mod_secure_proxy.conf.erb", :local=>false, :enable=>true, :server_port=>80, :server_name=>"www.mytest.com", :server_aliases=>nil, :enable_https=>true, :name=>"mytest"}}
  declared_type :template
  cookbook_name "mytest_aws_waf"
  recipe_name "default"
  mode "0644"
  owner "root"
  group "root"
  path "/etc/httpd/sites-available/mytest.conf"
  verifications []
end

System Info:
------------
chef_version=13.0.118
platform=centos
platform_version=7.3.1611
ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
program_name=chef-client worker: ppid=8165;start=21:40:05;
executable=/opt/chef/bin/chef-client

I don't want to copy your .erb template into my cookbook because that seems non-DRY.

Is there something I'm missing to allow chef to find your template?

Thanks.
@MrSeccubus
Copy link
Member

@silverl ,

If I read the error message correctly the mytest_aws_waf cookbook tries to define a web_app resource with the template mod_secure_proxy.conf.erb which is not in your cookbook. I'm not sure how that relates to the mod_secrity cookbook?

Can you try to explain a little bit better what it is you are trying to do and how you are calling the mod_security recipes?

Maybe you could share your mytest_aws_waf recipes?

Frank

@silverl
Copy link
Author

silverl commented May 18, 2017

Here's the simplest policyfile-based app I could construct to illustrate the issue (dropbox)

I performed the following steps:

  • chef generate app mod_security_test
  • cd mod_security_test
  • chef generate policyfile
  • Edited Policyfile.rb to set name, runlist and cookbook settings.
  • Edited .kitchen.yml to comment out ubuntu (I'm using CentOS). Commented out the default run_list, as it's not used in policyfile-based apps.
  • Edited recipes\default.rb to add the mod_secure_proxy directive as shown in your readme.md.
  • Ran chef install to generate the policy lockfile
  • Ran kitchen converge.

kitchen converge errors out as I showed in the logs provided previously.

@silverl
Copy link
Author

silverl commented May 18, 2017
edited
Loading

To explain what I'm trying to do, I'm trying to create an apache/mod_security web-application firewall starting with the most basic config possible that uses the OWASP CRS. Your cookbook looked like the way to go.

I'm relatively new to chef, and trying to adopt the new policyfile workflow. I've programmed for decades, but I don't know much ruby.

I assumed I could include your cookbook in my policyfile's runlist, then run my own recipe to configure mod_security using the directives defined in your cookbook.

@MrSeccubus
Copy link
Member

@silverl I think I have found the problem, but lost you dropbox files. Can you share them again?

@silverl
Copy link
Author

silverl commented Jun 19, 2017

Very sorry, I can't find the file. I provided complete repro steps earlier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MrSeccubus @silverl