fb_apache: allow user to not enable public status (facebook#262)

jaymzh · facebook-github-bot · commit d0351f655091 · 2025-02-14T11:21:50.000-08:00
Summary: Public status is usually not desired and can be a security risk. Allow the user to opt-out and setup status however they want. Signed-off-by: Phil Dibowitz <phil@ipom.com> Pull Request resolved: facebook#262 Differential Revision: D69672310 fbshipit-source-id: 189067fca7159f66c270eda80c19cdbcd81bade0
diff --git a/cookbooks/fb_apache/README.md b/cookbooks/fb_apache/README.md
@@ -7,18 +7,19 @@ Requirements
 
 Attributes
 ----------
+* node['fb_apache']['enable_default_site']
+* node['fb_apache']['enable_public_status']
+* node['fb_apache']['extra_configs']
 * node['fb_apache']['manage_packages']
 * node['fb_apache']['manage_service']
-* node['fb_apache']['sites'][$SITE][$CONFIG]
-* node['fb_apache']['sysconfig'][$KEY]
-* node['fb_apache']['sysconfig']['_extra_lines']
+* node['fb_apache']['module_packages']
 * node['fb_apache']['modules']
 * node['fb_apache']['modules_directory']
 * node['fb_apache']['modules_mapping']
-* node['fb_apache']['module_packages']
-* node['fb_apache']['enable_default_site']
-* node['fb_apache']['extra_configs']
 * node['fb_apache']['mpm']
+* node['fb_apache']['sites'][$SITE][$CONFIG]
+* node['fb_apache']['sysconfig'][$KEY]
+* node['fb_apache']['sysconfig']['_extra_lines']
 
 Usage
 -----
@@ -219,6 +220,11 @@ and we've pre-populated all the common modules on both distro variants.
 Finally, `node['fb_apache']['modules_directory']` is set to the proper module
 directory for your distro, but you may override it if you'd like.
 
+### Global status
+By default this cookbook will enable a mod_status handler available publically
+at /server-status. You can disable this with
+`node.default['fb_apache']['enable_public_status'] = false`.
+
 ### Extra Configs
 Everything in `node['fb_apache']['extra_configs']` will be converted from hash
 syntax to Apache Config syntax in the same 1:1 manner as the `sites` hash above
diff --git a/cookbooks/fb_apache/attributes/default.rb b/cookbooks/fb_apache/attributes/default.rb
@@ -87,6 +87,7 @@
 
 default['fb_apache'] = {
   'sysconfig' => sysconfig,
+  'enable_public_status' => true,
   'manage_packages' => true,
   'manage_service' => true,
   'enable_default_site' => true,
diff --git a/cookbooks/fb_apache/recipes/default.rb b/cookbooks/fb_apache/recipes/default.rb
@@ -178,6 +178,7 @@
 
 # We want to collect apache stats
 template "#{confdir}/status.conf" do
+  only_if { node['fb_apache']['enable_public_status'] }
   source 'status.erb'
   owner node.root_user
   group node.root_group
@@ -187,6 +188,13 @@
   notifies :restart, 'service[apache]'
 end
 
+file "#{confdir}/status.conf" do
+  not_if { node['fb_apache']['enable_public_status'] }
+  action :delete
+  notifies :verify, 'fb_apache_verify_configs[doit]', :before
+  notifies :restart, 'service[apache]'
+end
+
 moddirbase = ::File.basename(moddir)
 sitesdirbase = ::File.basename(sitesdir)
 confdirbase = ::File.basename(confdir)
