Defined Type: apache::vhost

Defined in:
manifests/vhost.pp

Summary

Allows specialised configurations for virtual hosts that possess requirements outside of the defaults.

Overview

The apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to ‘vhost` being a defined resource type, which allows Apache to evaluate it multiple times with different parameters.<br /> The `apache::vhost` defined type allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default virtual host within the base `::apache` class, as well as set a customized virtual host as the default. Customized virtual hosts have a lower numeric `priority` than the base class’s, causing Apache to process the customized virtual host first.<br /> The ‘apache::vhost` defined type uses `concat::fragment` to build the configuration file. To inject custom fragments for pieces of the configuration that the defined type doesn’t inherently support, add a custom fragment.<br /> For the custom fragment’s ‘order` parameter, the `apache::vhost` defined type uses multiples of 10, so any `order` that isn’t a multiple of 10 should work.<br /> > Note: When creating an ‘apache::vhost`, it cannot be named `default` or `default-ssl`, because vhosts with these titles are always managed by the module. This means that you cannot override `Apache::Vhost` or `Apache::Vhost` resources. An optional workaround is to create a vhost named something else, such as `my default`, and ensure that the `default` and `default_ssl` vhosts are set to `false`:

TODO: check, if this Documentation is obsolete lint:ignore:parameter_documentation lint:endignore

Specfies mod_auth_gssapi parameters for particular directories in a virtual host directory
```puppet
apache::vhost { 'sample.example.net':
  docroot     => '/path/to/directory',
  directories => [
    { path   => '/path/to/different/dir',
      gssapi => {
        acceptor_name            => '{HOSTNAME}',
        allowed_mech             => ['krb5', 'iakerb', 'ntlmssp'],
        authname                 => 'Kerberos 5',
        authtype                 => 'GSSAPI',
        basic_auth               => true,
        basic_auth_mech          => ['krb5', 'iakerb', 'ntlmssp'],
        basic_ticket_timeout     => 300,
        connection_bound         => true,
        cred_store               => {
          ccache        => ['/path/to/directory'],
          client_keytab => ['/path/to/example.keytab'],
          keytab        => ['/path/to/example.keytab'],
        },
        deleg_ccache_dir         => '/path/to/directory',
        deleg_ccache_env_var     => 'KRB5CCNAME',
        deleg_ccache_perms       => {
          mode => '0600',
          uid  => 'example-user',
          gid  => 'example-group',
        },
        deleg_ccache_unique      => true,
        impersonate              => true,
        local_name               => true,
        name_attributes          => 'json',
        negotiate_once           => true,
        publish_errors           => true,
        publish_mech             => true,
        required_name_attributes =>	'auth-indicators=high',
        session_key              => 'file:/path/to/example.key',
        signal_persistent_auth   => true,
        ssl_only                 => true,
        use_s4u2_proxy           => true,
        use_sessions             => true,
      }
    },
  ],
}
```

Examples:

class { 'apache':
  default_vhost     => false,
  default_ssl_vhost => false,
}

Parameters:

  • access_log (Boolean) (defaults to: true)

    Determines whether to configure ‘*_access.log` directives (`*_file`, `*_pipe`, or `*_syslog`).

  • access_log_env_var (Optional[Variant[Boolean, String]]) (defaults to: undef)

    Specifies that only requests with particular environment variables be logged.

  • access_log_file (Optional[String[1]]) (defaults to: undef)

    Sets the filename of the ‘*_access.log` placed in `logroot`. Given a virtual host —for instance, example.com— it defaults to ’example.com_ssl.log’ for [SSL-encrypted](httpd.apache.org/docs/current/ssl/index.html) virtual hosts and ‘example.com_access.log` for unencrypted virtual hosts.

  • access_log_format (Optional[String[1]]) (defaults to: undef)

    Specifies the use of either a ‘LogFormat` nickname or a custom-formatted string for the access log.

  • access_log_pipe (Optional[String[1]]) (defaults to: undef)

    Specifies a pipe where Apache sends access log messages.

  • access_log_syslog (Optional[Variant[String, Boolean]]) (defaults to: undef)

    Sends all access log messages to syslog.

  • access_logs (Optional[Array[Hash]]) (defaults to: undef)

    Allows you to give a hash that specifies the state of each of the ‘access_log_*` directives shown above, i.e. `access_log_pipe` and `access_log_syslog`.

  • add_default_charset (Optional[String]) (defaults to: undef)

    Sets a default media charset value for the ‘AddDefaultCharset` directive, which is added to `text/plain` and `text/html` responses.

  • add_listen (Boolean) (defaults to: true)

    Determines whether the virtual host creates a ‘Listen` statement.<br /> Setting `add_listen` to `false` prevents the virtual host from creating a `Listen` statement. This is important when combining virtual hosts that aren’t passed an ‘ip` parameter with those that are.

  • use_optional_includes (Boolean) (defaults to: $apache::use_optional_includes)

    Specifies whether Apache uses the ‘IncludeOptional` directive instead of `Include` for `additional_includes` in Apache 2.4 or newer.

  • aliases (Array[Hash[String[1], String[1]]]) (defaults to: [])

    Passes a list of [hashes] to the virtual host to create ‘Alias`, `AliasMatch`, `ScriptAlias` or `ScriptAliasMatch` directives as per the `mod_alias` documentation.<br /> For example: “` puppet aliases => [

    { aliasmatch       => '^/image/(.*)\.jpg$',
      path             => '/files/jpg.images/$1.jpg',
    },
    { alias            => '/image',
      path             => '/ftp/pub/image',
    },
    { scriptaliasmatch => '^/cgi-bin(.*)',
      path             => '/usr/local/share/cgi-bin$1',
    },
    { scriptalias      => '/nagios/cgi-bin/',
      path             => '/usr/lib/nagios/cgi-bin/',
    },
    { alias            => '/nagios',
      path             => '/usr/share/nagios/html',
    },
    

    ], “‘ For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs a corresponding context, such as `<Directory /path/to/directory>` or `<Location /some/location/here>`. Puppet creates the directives in the order specified in the `aliases` parameter. As described in the `mod_alias` documentation, add more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more general ones to avoid shadowing.<BR /> > Note: Use the `aliases` parameter instead of the `scriptaliases` parameter because you can precisely control the order of various alias directives. Defining `ScriptAliases` using the `scriptaliases` parameter means all `ScriptAlias` directives will come after all `Alias` directives, which can lead to `Alias` directives shadowing `ScriptAlias` directives. This often causes problems; for example, this could cause problems with Nagios.<BR /> If `apache::mod::passenger` is loaded and `PassengerHighPerformance` is `true`, the `Alias` directive might not be able to honor the `PassengerEnabled => off` statement. See [this article](www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details.

  • allow_encoded_slashes (Optional[Enum['on', 'off', 'nodecode']]) (defaults to: undef)

    Sets the ‘AllowEncodedSlashes` declaration for the virtual host, overriding the server default. This modifies the virtual host responses to URLs with `` and `/` characters. The default setting omits the declaration from the server configuration and selects the Apache default setting of `Off`.

  • block (Variant[Array[String], String]) (defaults to: [])

    Specifies the list of things to which Apache blocks access. Valid options are: ‘scm` (which blocks web access to `.svn`), `.git`, and `.bzr` directories.

  • cas_attribute_prefix (Optional[String]) (defaults to: undef)

    Adds a header with the value of this header being the attribute values when SAML validation is enabled.

  • cas_attribute_delimiter (Optional[String]) (defaults to: undef)

    Sets the delimiter between attribute values in the header created by ‘cas_attribute_prefix`.

  • cas_login_url (Optional[String]) (defaults to: undef)

    Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don’t have an active session.

  • cas_root_proxied_as (Optional[String]) (defaults to: undef)

    Sets the URL end users see when access to this Apache server is proxied per vhost. This URL should not include a trailing slash.

  • cas_scrub_request_headers (Boolean) (defaults to: false)

    Remove inbound request headers that may have special meaning within mod_auth_cas.

  • cas_sso_enabled (Boolean) (defaults to: false)

    Enables experimental support for single sign out (may mangle POST data).

  • cas_validate_saml (Boolean) (defaults to: false)

    Parse response from CAS server for SAML.

  • cas_validate_url (Optional[String]) (defaults to: undef)

    Sets the URL to use when validating a client-presented ticket in an HTTP query string.

  • cas_cookie_path (Optional[String]) (defaults to: undef)

    Sets the location where information on the current session should be stored. This should be writable by the web server only.

  • comment (Optional[Variant[String, Array[String]]]) (defaults to: undef)

    Adds comments to the header of the configuration file. Pass as string or an array of strings. For example: “‘ puppet comment => “Account number: 123B”, “` Or: “` puppet comment => [

    "Customer: X",
    "Frontend domain: x.example.org",
    

    ] “‘

  • default_vhost (Boolean) (defaults to: false)

    Sets a given ‘apache::vhost` defined type as the default to serve requests that do not match any other `apache::vhost` defined types.

  • directoryindex (Optional[String]) (defaults to: undef)

    Sets the list of resources to look for when a client requests an index of the directory by specifying a ‘/’ at the end of the directory name. See the ‘DirectoryIndex` directive documentation for details.

  • docroot (Variant[Stdlib::Absolutepath, Boolean])

    Required.<br /> Sets the ‘DocumentRoot` location, from which Apache serves files.<br /> If `docroot` and `manage_docroot` are both set to `false`, no `DocumentRoot` will be set and the accompanying `<Directory /path/to/directory>` block will not be created.

  • docroot_group (String) (defaults to: $apache::params::root_group)

    Sets group access to the ‘docroot` directory.

  • docroot_owner (String) (defaults to: 'root')

    Sets individual user access to the ‘docroot` directory.

  • docroot_mode (Optional[Stdlib::Filemode]) (defaults to: undef)

    Sets access permissions for the ‘docroot` directory, in numeric notation.

  • manage_docroot (Boolean) (defaults to: true)

    Determines whether Puppet manages the ‘docroot` directory.

  • error_log (Boolean) (defaults to: true)

    Specifies whether ‘*_error.log` directives should be configured.

  • error_log_file (Optional[String]) (defaults to: undef)

    Points the virtual host’s error logs to a ‘*_error.log` file. If this parameter is undefined, Puppet checks for values in `error_log_pipe`, then `error_log_syslog`.<br /> If none of these parameters is set, given a virtual host `example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts.

  • error_log_pipe (Optional[String]) (defaults to: undef)

    Specifies a pipe to send error log messages to.<br /> This parameter has no effect if the ‘error_log_file` parameter has a value. If neither this parameter nor `error_log_file` has a value, Puppet then checks `error_log_syslog`.

  • error_log_syslog (Optional[Variant[String, Boolean]]) (defaults to: undef)

    Determines whether to send all error log messages to syslog. This parameter has no effect if either of the ‘error_log_file` or `error_log_pipe` parameters has a value. If none of these parameters has a value, given a virtual host `example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts.

  • error_log_format (Optional[ Array[ Variant[ String, Hash[String, Enum['connection', 'request']] ] ] ]) (defaults to: undef)

    Sets the [ErrorLogFormat](httpd.apache.org/docs/current/mod/core.html#errorlogformat) format specification for error log entries inside virtual host For example: “‘ puppet apache::vhost { ’site.name.fdqn’:

    ...
    error_log_format => [
      '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M',
      { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' },
      { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' },
      { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' },
      { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' },
    ],
    

    } “‘

  • error_documents (Variant[Array[Hash], String]) (defaults to: [])

    A list of hashes which can be used to override the [ErrorDocument](httpd.apache.org/docs/current/mod/core.html#errordocument) settings for this virtual host.<br /> For example: “‘ puppet apache::vhost { ’sample.example.net’:

    error_documents => [
      { 'error_code' => '503', 'document' => '/service-unavail' },
      { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' },
    ],
    

    } “‘

  • ensure (Enum['absent', 'present']) (defaults to: 'present')

    Specifies if the virtual host is present or absent.<br />

  • fallbackresource (Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]]) (defaults to: undef)

    Sets the [FallbackResource](httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn’t map to anything in your filesystem and would otherwise return ‘HTTP 404 (Not Found)’. Values must either begin with a ‘/` or be `disabled`.

  • filters (Array[String[1]]) (defaults to: [])

    [Filters](httpd.apache.org/docs/current/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. “‘ puppet apache::vhost { “$::fqdn”:

    filters => [
      'FilterDeclare   COMPRESS',
      'FilterProvider  COMPRESS DEFLATE resp=Content-Type $text/html',
      'FilterChain     COMPRESS',
      'FilterProtocol  COMPRESS DEFLATE change=yes;byteranges=no',
    ],
    

    } “‘

  • h2_copy_files (Optional[Boolean]) (defaults to: undef)

    Sets the [H2CopyFiles](httpd.apache.org/docs/current/mod/mod_http2.html#h2copyfiles) directive which influences how the requestion process pass files to the main connection.

  • h2_direct (Optional[Boolean]) (defaults to: undef)

    Sets the [H2Direct](httpd.apache.org/docs/current/mod/mod_http2.html#h2direct) directive which toggles the usage of the HTTP/2 Direct Mode.

  • h2_early_hints (Optional[Boolean]) (defaults to: undef)

    Sets the [H2EarlyHints](httpd.apache.org/docs/current/mod/mod_http2.html#h2earlyhints) directive which controls if HTTP status 103 interim responses are forwarded to the client or not.

  • h2_max_session_streams (Optional[Integer]) (defaults to: undef)

    Sets the [H2MaxSessionStreams](httpd.apache.org/docs/current/mod/mod_http2.html#h2maxsessionstreams) directive which sets the maximum number of active streams per HTTP/2 session that the server allows.

  • h2_modern_tls_only (Optional[Boolean]) (defaults to: undef)

    Sets the [H2ModernTLSOnly](httpd.apache.org/docs/current/mod/mod_http2.html#h2moderntlsonly) directive which toggles the security checks on HTTP/2 connections in TLS mode.

  • h2_push (Optional[Boolean]) (defaults to: undef)

    Sets the [H2Push](httpd.apache.org/docs/current/mod/mod_http2.html#h2push) directive which toggles the usage of the HTTP/2 server push protocol feature.

  • h2_push_diary_size (Optional[Integer]) (defaults to: undef)

    Sets the [H2PushDiarySize](httpd.apache.org/docs/current/mod/mod_http2.html#h2pushdiarysize) directive which toggles the maximum number of HTTP/2 server pushes that are remembered per HTTP/2 connection.

  • h2_push_priority (Array[String]) (defaults to: [])

    Sets the [H2PushPriority](httpd.apache.org/docs/current/mod/mod_http2.html#h2pushpriority) directive which defines the priority handling of pushed responses based on the content-type of the response.

  • h2_push_resource (Array[String]) (defaults to: [])

    Sets the [H2PushResource](httpd.apache.org/docs/current/mod/mod_http2.html#h2pushresource) directive which declares resources for early pushing to the client.

  • h2_serialize_headers (Optional[Boolean]) (defaults to: undef)

    Sets the [H2SerializeHeaders](httpd.apache.org/docs/current/mod/mod_http2.html#h2serializeheaders) directive which toggles if HTTP/2 requests are serialized in HTTP/1.1 format for processing by httpd core.

  • h2_stream_max_mem_size (Optional[Integer]) (defaults to: undef)

    Sets the [H2StreamMaxMemSize](httpd.apache.org/docs/current/mod/mod_http2.html#h2streammaxmemsize) directive which sets the maximum number of outgoing data bytes buffered in memory for an active stream.

  • h2_tls_cool_down_secs (Optional[Integer]) (defaults to: undef)

    Sets the [H2TLSCoolDownSecs](httpd.apache.org/docs/current/mod/mod_http2.html#h2tlscooldownsecs) directive which sets the number of seconds of idle time on a TLS connection before the TLS write size falls back to a small (~1300 bytes) length.

  • h2_tls_warm_up_size (Optional[Integer]) (defaults to: undef)

    Sets the [H2TLSWarmUpSize](httpd.apache.org/docs/current/mod/mod_http2.html#h2tlswarmupsize) directive which sets the number of bytes to be sent in small TLS records (~1300 bytes) until doing maximum sized writes (16k) on https: HTTP/2 connections.

  • h2_upgrade (Optional[Boolean]) (defaults to: undef)

    Sets the [H2Upgrade](httpd.apache.org/docs/current/mod/mod_http2.html#h2upgrade) directive which toggles the usage of the HTTP/1.1 Upgrade method for switching to HTTP/2.

  • h2_window_size (Optional[Integer]) (defaults to: undef)

    Sets the [H2WindowSize](httpd.apache.org/docs/current/mod/mod_http2.html#h2windowsize) directive which sets the size of the window that is used for flow control from client to server and limits the amount of data the server has to buffer.

  • ip (Optional[ Variant[ Array[Variant[Stdlib::IP::Address, Enum['*']]], Variant[Stdlib::IP::Address, Enum['*']] ] ]) (defaults to: undef)

    Sets the IP address the virtual host listens on. By default, uses Apache’s default behavior of listening on all IPs.

  • ip_based (Boolean) (defaults to: false)

    Enables an [IP-based](httpd.apache.org/docs/current/vhosts/ip-based.html) virtual host. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based virtual hosts.

  • itk (Optional[Hash]) (defaults to: undef)

    Configures [ITK](mpm-itk.sesse.net/) in a hash.<br /> Usage typically looks something like: “‘ puppet apache::vhost { ’sample.example.net’:

    docroot => '/path/to/directory',
    itk     => {
      user  => 'someuser',
      group => 'somegroup',
    },
    

    } “‘ Valid values are: a hash, which can include the keys:

    • ‘user` + `group`

    • ‘assignuseridexpr`

    • ‘assigngroupidexpr`

    • ‘maxclientvhost`

    • ‘nice`

    • ‘limituidrange` (Linux 3.5.0 or newer)

    • ‘limitgidrange` (Linux 3.5.0 or newer)

  • action (Optional[String]) (defaults to: undef)

    Specifies whether you wish to configure mod_actions action directive which will activate cgi-script when triggered by a request.

  • jk_mounts (Array[Hash]) (defaults to: [])

    Sets up a virtual host with ‘JkMount` and `JkUnMount` directives to handle the paths for URL mapping between Tomcat and Apache.<br /> The parameter must be an array of hashes where each hash must contain the `worker` and either the `mount` or `unmount` keys.<br /> Usage typically looks like: “` puppet apache::vhost { ’sample.example.net’:

    jk_mounts => [
      { mount   => '/*',     worker => 'tcnode1', },
      { unmount => '/*.jpg', worker => 'tcnode1', },
    ],
    

    } “‘

  • http_protocol_options (Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]]) (defaults to: undef)

    Specifies the strictness of HTTP protocol checks.

  • keepalive (Optional[Enum['on', 'off']]) (defaults to: undef)

    Determines whether to enable persistent HTTP connections with the ‘KeepAlive` directive for the virtual host. By default, the global, server-wide `KeepAlive` setting is in effect.<br /> Use the `keepalive_timeout` and `max_keepalive_requests` parameters to set relevant options for the virtual host.

  • keepalive_timeout (Optional[Variant[Integer, String]]) (defaults to: undef)

    Sets the ‘KeepAliveTimeout` directive for the virtual host, which determines the amount of time to wait for subsequent requests on a persistent HTTP connection. By default, the global, server-wide `KeepAlive` setting is in effect.<br /> This parameter is only relevant if either the global, server-wide `keepalive` parameter or the per-vhost `keepalive` parameter is enabled.

  • max_keepalive_requests (Optional[Variant[Integer, String]]) (defaults to: undef)

    Limits the number of requests allowed per connection to the virtual host. By default, the global, server-wide ‘KeepAlive` setting is in effect.<br /> This parameter is only relevant if either the global, server-wide `keepalive` parameter or the per-vhost `keepalive` parameter is enabled.

  • auth_kerb (Boolean) (defaults to: false)

    Enable ‘mod_auth_kerb` parameters for a virtual host.<br /> Usage typically looks like: “` puppet apache::vhost { ’sample.example.net’:

    auth_kerb              => `true`,
    krb_method_negotiate   => 'on',
    krb_auth_realms        => ['EXAMPLE.ORG'],
    krb_local_user_mapping => 'on',
    directories            => [
      {
        path         => '/var/www/html',
        auth_name    => 'Kerberos Login',
        auth_type    => 'Kerberos',
        auth_require => 'valid-user',
      },
    ],
    

    } “‘

  • krb_method_negotiate (Enum['on', 'off']) (defaults to: 'on')

    Determines whether to use the Negotiate method.

  • krb_method_k5passwd (Enum['on', 'off']) (defaults to: 'on')

    Determines whether to use password-based authentication for Kerberos v5.

  • krb_authoritative (Enum['on', 'off']) (defaults to: 'on')

    If set to ‘off`, authentication controls can be passed on to another module.

  • krb_auth_realms (Array[String]) (defaults to: [])

    Specifies an array of Kerberos realms to use for authentication.

  • krb_5keytab (Optional[String]) (defaults to: undef)

    Specifies the Kerberos v5 keytab file’s location.

  • krb_local_user_mapping (Optional[Enum['on', 'off']]) (defaults to: undef)

    Strips @REALM from usernames for further use.

  • krb_verify_kdc (Enum['on', 'off']) (defaults to: 'on')

    This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing attacks.

  • krb_servicename (String) (defaults to: 'HTTP')

    Specifies the service name that will be used by Apache for authentication. Corresponding key of this name must be stored in the keytab.

  • krb_save_credentials (Enum['on', 'off']) (defaults to: 'off')

    This option enables credential saving functionality.

  • logroot (Stdlib::Absolutepath) (defaults to: $apache::logroot)

    Specifies the location of the virtual host’s logfiles.

  • logroot_ensure (Enum['directory', 'absent']) (defaults to: 'directory')

    Determines whether or not to remove the logroot directory for a virtual host.

  • logroot_mode (Optional[Stdlib::Filemode]) (defaults to: undef)

    Overrides the mode the logroot directory is set to. Do not grant write access to the directory the logs are stored in without being aware of the consequences; for more information, see [Apache’s log security documentation](httpd.apache.org/docs/2.4/logs.html#security).

  • logroot_owner (Optional[String]) (defaults to: undef)

    Sets individual user access to the logroot directory.

  • logroot_group (Optional[String]) (defaults to: undef)

    Sets group access to the ‘logroot` directory.

  • log_level (Optional[Apache::LogLevel]) (defaults to: undef)

    Specifies the verbosity of the error log.

  • modsec_body_limit (Optional[String]) (defaults to: undef)

    Configures the maximum request body size (in bytes) ModSecurity accepts for buffering.

  • modsec_disable_vhost (Boolean) (defaults to: false)

    Disables ‘mod_security` on a virtual host. Only valid if `apache::mod::security` is included.

  • modsec_disable_ids (Optional[Variant[Hash, Array]]) (defaults to: undef)

    Removes ‘mod_security` IDs from the virtual host.<br /> Also takes a hash allowing removal of an ID from a specific location. “` puppet apache::vhost { ’sample.example.net’:

    modsec_disable_ids => [ 90015, 90016 ],
    

    } “‘

    “‘ puppet apache::vhost { ’sample.example.net’:

    modsec_disable_ids => { '/location1' => [ 90015, 90016 ] },
    

    } “‘

  • modsec_disable_ips (Array[String[1]]) (defaults to: [])

    Specifies an array of IP addresses to exclude from ‘mod_security` rule matching.

  • modsec_disable_msgs (Optional[Variant[Hash, Array]]) (defaults to: undef)

    Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing removal of an Msg from a specific location. “‘ puppet apache::vhost { ’sample.example.net’:

    modsec_disable_msgs => ['Blind SQL Injection Attack', 'Session Fixation Attack'],
    

    } “‘ “` puppet apache::vhost { ’sample.example.net’:

    modsec_disable_msgs => { '/location1' => ['Blind SQL Injection Attack', 'Session Fixation Attack'] },
    

    } “‘

  • modsec_disable_tags (Optional[Variant[Hash, Array]]) (defaults to: undef)

    Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing removal of an Tag from a specific location. “‘ puppet apache::vhost { ’sample.example.net’:

    modsec_disable_tags => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'],
    

    } “‘ “` puppet apache::vhost { ’sample.example.net’:

    modsec_disable_tags => { '/location1' => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'] },
    

    } “‘

  • modsec_audit_log_file (Optional[String]) (defaults to: undef)

    If set, it is relative to ‘logroot`.<br /> One of the parameters that determines how to send `mod_security` audit log ([SecAuditLog](github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). If none of those parameters are set, the global audit log is used (`/var/log/httpd/modsec_audit.log`; Debian and derivatives: `/var/log/apache2/modsec_audit.log`; others: ).

  • modsec_audit_log_pipe (Optional[String]) (defaults to: undef)

    If ‘modsec_audit_log_pipe` is set, it should start with a pipe. Example `|/path/to/mlogc /path/to/mlogc.conf`.<br /> One of the parameters that determines how to send `mod_security` audit log ([SecAuditLog](github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). If none of those parameters are set, the global audit log is used (`/var/log/httpd/modsec_audit.log`; Debian and derivatives: `/var/log/apache2/modsec_audit.log`; others: ).

  • modsec_audit_log (Optional[Variant[String, Boolean]]) (defaults to: undef)

    If ‘modsec_audit_log` is `true`, given a virtual host —for instance, example.com— it defaults to `example.com_security_ssl.log` for SSL-encrypted virtual hosts and `example.com_security.log` for unencrypted virtual hosts.<br /> One of the parameters that determines how to send `mod_security` audit log ([SecAuditLog](github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)).<br /> If none of those parameters are set, the global audit log is used (`/var/log/httpd/modsec_audit.log`; Debian and derivatives: `/var/log/apache2/modsec_audit.log`; others: ).

  • modsec_inbound_anomaly_threshold (Optional[Integer[1, default]]) (defaults to: undef)

    Override the global scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  • modsec_outbound_anomaly_threshold (Optional[Integer[1, default]]) (defaults to: undef)

    Override the global scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.

  • modsec_allowed_methods (Optional[String]) (defaults to: undef)

    Override global allowed methods. A space-separated list of allowed HTTP methods.

  • no_proxy_uris (Variant[Array[String], String]) (defaults to: [])

    Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [‘proxy_dest`](#proxy_dest).

  • no_proxy_uris_match (Variant[Array[String], String]) (defaults to: [])

    This directive is equivalent to ‘no_proxy_uris`, but takes regular expressions.

  • proxy_preserve_host (Boolean) (defaults to: false)

    Sets the [ProxyPreserveHost Directive](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost).<br /> Setting this parameter to ‘true` enables the `Host:` line from an incoming request to be proxied to the host instead of hostname. Setting it to `false` sets this directive to ’Off’.

  • proxy_add_headers (Optional[Variant[String, Boolean]]) (defaults to: undef)

    Sets the [ProxyAddHeaders Directive](httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders).<br /> This parameter controlls whether proxy-related HTTP headers (X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server) get sent to the backend server.

  • proxy_error_override (Boolean) (defaults to: false)

    Sets the [ProxyErrorOverride Directive](httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride). This directive controls whether Apache should override error pages for proxied content.

  • options (Array[String]) (defaults to: ['Indexes', 'FollowSymLinks', 'MultiViews'])

    Sets the [‘Options`](httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. For example: “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    options => ['Indexes', 'FollowSymLinks', 'MultiViews'],
    

    } “‘ > Note: If you use the `directories` parameter of `apache::vhost`, ’Options’, ‘Override’, and ‘DirectoryIndex’ are ignored because they are parameters within ‘directories`.

  • override (Array[String]) (defaults to: ['None'])

    Sets the overrides for the specified virtual host. Accepts an array of [AllowOverride](httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments.

  • passenger_enabled (Optional[Boolean]) (defaults to: undef)

    Sets the value for the [PassengerEnabled](www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directive to ‘on` or `off`. Requires `apache::mod::passenger` to be included. “` puppet apache::vhost { ’sample.example.net’:

    docroot     => '/path/to/directory',
    directories => [
      { path              => '/path/to/directory',
        passenger_enabled => 'on',
      },
    ],
    

    } “‘ > Note: There is an [issue](www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive.

  • passenger_base_uri (Optional[String]) (defaults to: undef)

    Sets [PassengerBaseURI](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbase_rui),

    to specify that the given URI is a distinct application served by Passenger.
    
  • passenger_ruby (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets [PassengerRuby](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerruby), specifying the Ruby interpreter to use when serving the relevant web applications.

  • passenger_python (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets [PassengerPython](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpython), specifying the Python interpreter to use when serving the relevant web applications.

  • passenger_nodejs (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets the [‘PassengerNodejs`](www.phusionpassenger.com/docs/references/config_reference/apache/#passengernodejs), specifying Node.js command to use when serving the relevant web applications.

  • passenger_meteor_app_settings (Optional[String]) (defaults to: undef)

    Sets [PassengerMeteorAppSettings](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermeteorappsettings), specifying a JSON file with settings for the application when using a Meteor application in non-bundled mode.

  • passenger_app_env (Optional[String]) (defaults to: undef)

    Sets [PassengerAppEnv](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappenv), the environment for the Passenger application. If not specified, defaults to the global setting or ‘production’.

  • passenger_app_root (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets [PassengerRoot](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapproot), the location of the Passenger application root if different from the DocumentRoot.

  • passenger_app_group_name (Optional[String]) (defaults to: undef)

    Sets [PassengerAppGroupName](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappgroupname),

    the name of the application group that the current application should belong to.
    
  • passenger_app_start_command (Optional[String]) (defaults to: undef)

    Sets [PassengerAppStartCommand](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappstartcommand),

    how Passenger should start your app on a specific port.
    
  • passenger_app_type (Optional[Enum['meteor', 'node', 'rack', 'wsgi']]) (defaults to: undef)

    Sets [PassengerAppType](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapptype),

    to force Passenger to recognize the application as a specific type.
    
  • passenger_startup_file (Optional[String]) (defaults to: undef)

    Sets the [PassengerStartupFile](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstartupfile), path. This path is relative to the application root.

  • passenger_restart_dir (Optional[String]) (defaults to: undef)

    Sets the [PassengerRestartDir](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrestartdir),

    to customize the directory in which `restart.txt` is searched for.
    
  • passenger_spawn_method (Optional[Enum['direct', 'smart']]) (defaults to: undef)

    Sets [PassengerSpawnMethod](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerspawnmethod), whether Passenger spawns applications directly, or using a prefork copy-on-write mechanism.

  • passenger_load_shell_envvars (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerLoadShellEnvvars](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerloadshellenvvars), to enable or disable the loading of shell environment variables before spawning the application.

  • passenger_preload_bundler (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerPreloadBundler](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpreloadbundler), to enable or disable the loading of bundler before loading the application.

  • passenger_rolling_restarts (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerRollingRestarts](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrollingrestarts), to enable or disable support for zero-downtime application restarts through ‘restart.txt`.

  • passenger_resist_deployment_errors (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerResistDeploymentErrors](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerresistdeploymenterrors), to enable or disable resistance against deployment errors.

  • passenger_user (Optional[String]) (defaults to: undef)

    Sets [PassengerUser](www.phusionpassenger.com/docs/references/config_reference/apache/#passengeruser), the running user for sandboxing applications.

  • passenger_group (Optional[String]) (defaults to: undef)

    Sets [PassengerGroup](www.phusionpassenger.com/docs/references/config_reference/apache/#passengergroup), the running group for sandboxing applications.

  • passenger_friendly_error_pages (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerFriendlyErrorPages](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerfriendlyerrorpages), which can display friendly error pages whenever an application fails to start. This friendly error page presents the startup error message, some suggestions for solving the problem, a backtrace and a dump of the environment variables.

  • passenger_min_instances (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMinInstances](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermininstances), the minimum number of application processes to run.

  • passenger_max_instances (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMaxInstances](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxinstances), the maximum number of application processes to run.

  • passenger_max_preloader_idle_time (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMaxPreloaderIdleTime](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxpreloaderidletime), the maximum amount of time the preloader waits before shutting down an idle process.

  • passenger_force_max_concurrent_requests_per_process (Optional[Integer]) (defaults to: undef)

    Sets [PassengerForceMaxConcurrentRequestsPerProcess](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerforcemaxconcurrentrequestsperprocess), the maximum amount of concurrent requests the application can handle per process.

  • passenger_start_timeout (Optional[Integer]) (defaults to: undef)

    Sets [PassengerStartTimeout](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstarttimeout), the timeout for the application startup.

  • passenger_concurrency_model (Optional[Enum['process', 'thread']]) (defaults to: undef)

    Sets [PassengerConcurrencyModel](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerconcurrencyodel), to specify the I/O concurrency model that should be used for Ruby application processes. Passenger supports two concurrency models:<br />

    • ‘process` - single-threaded, multi-processed I/O concurrency.

    • ‘thread` - multi-threaded, multi-processed I/O concurrency.

  • passenger_thread_count (Optional[Integer]) (defaults to: undef)

    Sets [PassengerThreadCount](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerthreadcount), the number of threads that Passenger should spawn per Ruby application process.<br /> This option only has effect if PassengerConcurrencyModel is ‘thread`.

  • passenger_max_requests (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMaxRequests](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequests), the maximum number of requests an application process will process.

  • passenger_max_request_time (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMaxRequestTime](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequesttime), the maximum amount of time, in seconds, that an application process may take to process a request.

  • passenger_memory_limit (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMemoryLimit](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermemorylimit), the maximum amount of memory that an application process may use, in megabytes.

  • passenger_stat_throttle_rate (Optional[Integer]) (defaults to: undef)

    Sets [PassengerStatThrottleRate](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstatthrottlerate), to set a limit, in seconds, on how often Passenger will perform it’s filesystem checks.

  • passenger_pre_start (Optional[Variant[String, Array[String]]]) (defaults to: undef)

    Sets [PassengerPreStart](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerprestart), the URL of the application if pre-starting is required.

  • passenger_high_performance (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerHighPerformance](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerhighperformance), to enhance performance in return for reduced compatibility.

  • passenger_buffer_upload (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerBufferUpload](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferupload), to buffer HTTP client request bodies before they are sent to the application.

  • passenger_buffer_response (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerBufferResponse](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferresponse), to buffer Happlication-generated responses.

  • passenger_error_override (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerErrorOverride](www.phusionpassenger.com/docs/references/config_reference/apache/#passengererroroverride), to specify whether Apache will intercept and handle response with HTTP status codes of 400 and higher.

  • passenger_max_request_queue_size (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMaxRequestQueueSize](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuesize), to specify the maximum amount of requests that are allowed to queue whenever the maximum concurrent request limit is reached. If the queue is already at this specified limit, then Passenger immediately sends a “503 Service Unavailable” error to any incoming requests.<br /> A value of 0 means that the queue size is unbounded.

  • passenger_max_request_queue_time (Optional[Integer]) (defaults to: undef)

    Sets [PassengerMaxRequestQueueTime](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuetime), to specify the maximum amount of time that requests are allowed to stay in the queue whenever the maximum concurrent request limit is reached. If a request reaches this specified limit, then Passenger immeaditly sends a “504 Gateway Timeout” error for that request.<br /> A value of 0 means that the queue time is unbounded.

  • passenger_sticky_sessions (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerStickySessions](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessions), to specify that, whenever possible, all requests sent by a client will be routed to the same originating application process.

  • passenger_sticky_sessions_cookie_name (Optional[String]) (defaults to: undef)

    Sets [PassengerStickySessionsCookieName](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookiename), to specify the name of the sticky sessions cookie.

  • passenger_sticky_sessions_cookie_attributes (Optional[String]) (defaults to: undef)

    Sets [PassengerStickySessionsCookieAttributes](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookieattributes), the attributes of the sticky sessions cookie.

  • passenger_allow_encoded_slashes (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerAllowEncodedSlashes](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerallowencodedslashes), to allow URLs with encoded slashes. Please note that this feature will not work properly unless Apache’s ‘AllowEncodedSlashes` is also enabled.

  • passenger_app_log_file (Optional[String]) (defaults to: undef)

    Sets [PassengerAppLogFile](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapplogfile), app specific messages logged to a different file in addition to Passenger log file.

  • passenger_debugger (Optional[Boolean]) (defaults to: undef)

    Sets [PassengerDebugger](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerdebugger), to turn support for Ruby application debugging on or off.

  • passenger_lve_min_uid (Optional[Integer]) (defaults to: undef)

    Sets [PassengerLveMinUid](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), to only allow the spawning of application processes with UIDs equal to, or higher than, this specified value on LVE-enabled kernels.

  • php_values (Hash) (defaults to: {})

    Allows per-virtual host setting [‘php_value`s](php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Within a vhost declaration: “` puppet

    php_values    => [ 'include_path ".:/usr/local/example-app/include"' ],
    

    “‘

  • php_flags (Hash) (defaults to: {})

    Allows per-virtual host setting [‘php_flags``](php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application.

  • php_admin_values (Variant[Array[String], Hash]) (defaults to: {})

    Allows per-virtual host setting [‘php_admin_value`](php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application.

  • php_admin_flags (Variant[Array[String], Hash]) (defaults to: {})

    Allows per-virtual host setting [‘php_admin_flag`](php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application.

  • port (Optional[Variant[Array[Stdlib::Port], Stdlib::Port]]) (defaults to: undef)

    Sets the port the host is configured on. The module’s defaults ensure the host listens on port 80 for non-SSL virtual hosts and port 443 for SSL virtual hosts. The host only listens on the port set in this parameter.

  • priority (Optional[Apache::Vhost::Priority]) (defaults to: undef)

    Sets the relative load-order for Apache HTTPD VirtualHost configuration files.<br /> If nothing matches the priority, the first name-based virtual host is used. Likewise, passing a higher priority causes the alphabetically first name-based virtual host to be used if no other names match.<br /> > Note: You should not need to use this parameter. However, if you do use it, be aware that the ‘default_vhost` parameter for `apache::vhost` passes a priority of 15.<br /> To omit the priority prefix in file names, pass a priority of `false`.

  • protocols (Array[Enum['h2', 'h2c', 'http/1.1']]) (defaults to: [])

    Sets the [Protocols](httpd.apache.org/docs/current/en/mod/core.html#protocols) directive, which lists available protocols for the virutal host.

  • protocols_honor_order (Optional[Boolean]) (defaults to: undef)

    Sets the [ProtocolsHonorOrder](httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder) directive which determines wether the order of Protocols sets precedence during negotiation.

  • proxy_dest (Optional[String]) (defaults to: undef)

    Specifies the destination address of a [ProxyPass](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration.

  • proxy_pass (Optional[Variant[Array[Hash], Hash]]) (defaults to: undef)

    Specifies an array of ‘path => URI` values for a [ProxyPass](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Optionally, parameters can be added as an array. “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    proxy_pass => [
      { 'path' => '/a', 'url' => 'http://backend-a/' },
      { 'path' => '/b', 'url' => 'http://backend-b/' },
      { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}},
      { 'path' => '/l', 'url' => 'http://backend-xy',
        'reverse_urls' => ['http://backend-x', 'http://backend-y'] },
      { 'path' => '/d', 'url' => 'http://backend-a/d',
        'params' => { 'retry' => 0, 'timeout' => 5 }, },
      { 'path' => '/e', 'url' => 'http://backend-a/e',
        'keywords' => ['nocanon', 'interpolate'] },
      { 'path' => '/f', 'url' => 'http://backend-f/',
        'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1']},
      { 'path' => '/g', 'url' => 'http://backend-g/',
        'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], },
      { 'path' => '/h', 'url' => 'http://backend-h/h',
        'no_proxy_uris' => ['/h/admin', '/h/server-status'] },
    ],
    

    } “‘

    • ‘reverse_urls`. Optional. This setting is useful when used with `mod_proxy_balancer`. Values: an array or string.

    • ‘reverse_cookies`. Optional. Sets `ProxyPassReverseCookiePath` and `ProxyPassReverseCookieDomain`.

    • ‘params`. Optional. Allows for ProxyPass key-value parameters, such as connection settings.

    • ‘setenv`. Optional. Sets [environment variables](httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings) for the proxy directive. Values: array.

  • proxy_dest_match (Optional[String]) (defaults to: undef)

    This directive is equivalent to ‘proxy_dest`, but takes regular expressions, see [ProxyPassMatch](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details.

  • proxy_dest_reverse_match (Optional[String]) (defaults to: undef)

    Allows you to pass a ProxyPassReverse if ‘proxy_dest_match` is specified. See [ProxyPassReverse](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) for details.

  • proxy_pass_match (Optional[Variant[Array[Hash], Hash]]) (defaults to: undef)

    This directive is equivalent to ‘proxy_pass`, but takes regular expressions, see [ProxyPassMatch](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details.

  • redirect_dest (Optional[Variant[Array[String], String]]) (defaults to: undef)

    Specifies the address to redirect to.

  • redirect_source (Variant[String, Array[String]]) (defaults to: '/')

    Specifies the source URIs that redirect to the destination specified in ‘redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    redirect_source => ['/images', '/downloads'],
    redirect_dest   => ['http://img.example.com/', 'http://downloads.example.com/'],
    

    } “‘

  • redirect_status (Optional[Variant[Array[String], String]]) (defaults to: undef)

    Specifies the status to append to the redirect. “‘ puppet

    apache::vhost { 'site.name.fdqn':
    ...
    redirect_status => ['temp', 'permanent'],
    

    } “‘

  • redirectmatch_regexp (Optional[Variant[Array[String], String]]) (defaults to: undef)

    Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as an array alongside redirectmatch_status and redirectmatch_dest. “‘ puppet apache::vhost { ’site.name.fdqn’:

    ...
    redirectmatch_status => ['404', '404'],
    redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'],
    redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'],
    

    } “‘

  • redirectmatch_status (Optional[Variant[Array[String], String]]) (defaults to: undef)

    Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as an array alongside redirectmatch_regexp and redirectmatch_dest. “‘ puppet apache::vhost { ’site.name.fdqn’:

    ...
    redirectmatch_status => ['404', '404'],
    redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'],
    redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'],
    

    } “‘

  • redirectmatch_dest (Optional[Variant[Array[String], String]]) (defaults to: undef)

    Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as an array alongside redirectmatch_status and redirectmatch_regexp. “‘ puppet apache::vhost { ’site.name.fdqn’:

    ...
    redirectmatch_status => ['404', '404'],
    redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'],
    redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'],
    

    } “‘

  • request_headers (Array[String[1]]) (defaults to: [])

    Modifies collected [request headers](httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, and so on. “‘ puppet apache::vhost { ’site.name.fdqn’:

    ...
    request_headers => [
      'append MirrorID "mirror 12"',
      'unset MirrorID',
    ],
    

    } “‘

  • rewrites (Array[Hash]) (defaults to: [])

    Creates URL rewrite rules. Expects an array of hashes.<br /> Valid Hash keys include ‘comment`, `rewrite_base`, `rewrite_cond`, `rewrite_rule` or `rewrite_map`.<br /> For example, you can specify that anyone trying to access index.html is served welcome.html “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ]
    

    } “‘ The parameter allows rewrite conditions that, when `true`, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    rewrites => [
      {
        comment      => 'redirect IE',
        rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'],
        rewrite_rule => ['^index\.html$ welcome.html'],
      },
    ],
    

    } “‘ You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2) “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    rewrites => [
      {
        comment      => 'Lynx or Mozilla v1/2',
        rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'],
        rewrite_rule => ['^index\.html$ welcome.html'],
      },
    ],
    

    } “‘ Multiple rewrites and conditions are also possible “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    rewrites => [
      {
        comment      => 'Lynx or Mozilla v1/2',
        rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'],
        rewrite_rule => ['^index\.html$ welcome.html'],
      },
      {
        comment      => 'Internet Explorer',
        rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'],
        rewrite_rule => ['^index\.html$ /index.IE.html [L]'],
      },
      {
        rewrite_base => /apps/,
        rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'],
      },
      { comment      => 'Rewrite to lower case',
        rewrite_cond => ['%{REQUEST_URI} [A-Z]'],
        rewrite_map  => ['lc int:tolower'],
        rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'],
      },
    ],
    

    } “‘ Refer to the [`mod_rewrite` documentation](httpd.apache.org/docs/2.4/mod/mod_rewrite.html) for more details on what is possible with rewrite rules and conditions.<br /> > Note: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the virtual host’s directories.

  • rewrite_base (Optional[String[1]]) (defaults to: undef)

    The parameter [‘rewrite_base`](httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase) specifies the URL prefix to be used for per-directory (htaccess) RewriteRule directives that substitue a relative path.

  • rewrite_rule (Optional[Variant[Array[String[1]], String[1]]]) (defaults to: undef)

    The parameter [‘rewrite_rile`](httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule) allows the user to define the rules that will be used by the rewrite engine.

  • rewrite_cond (Array[String[1]]) (defaults to: [])

    The parameter [‘rewrite_cond`](httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond) defines a rule condition, that when satisfied will implement that rule within the rewrite engine.

  • rewrite_inherit (Boolean) (defaults to: false)

    Determines whether the virtual host inherits global rewrite rules.<br /> Rewrite rules may be specified globally (in ‘$conf_file` or `$confd_dir`) or inside the virtual host `.conf` file. By default, virtual hosts do not inherit global settings. To activate inheritance, specify the `rewrites` parameter and set `rewrite_inherit` parameter to `true`: “` puppet apache::vhost { ’site.name.fdqn’:

    ...
    rewrites => [
      <rules>,
    ],
    rewrite_inherit => `true`,
    

    } “‘ > Note: The `rewrites` parameter is required for this to have effect<br /> Apache activates global `Rewrite` rules inheritance if the virtual host files contains the following directives: “` ApacheConf RewriteEngine On RewriteOptions Inherit “` Refer to the official [`mod_rewrite`](httpd.apache.org/docs/2.2/mod/mod_rewrite.html) documentation, section “Rewriting in Virtual Hosts”.

  • scriptalias (Optional[String]) (defaults to: undef)

    Defines a directory of CGI scripts to be aliased to the path ‘/cgi-bin’, such as ‘/usr/scripts’.

  • scriptaliases (Array[Hash]) (defaults to: [])

    > Note: This parameter is deprecated in favor of the ‘aliases` parameter.<br /> Passes an array of hashes to the virtual host to create either ScriptAlias or ScriptAliasMatch statements per the `mod_alias` documentation. “` puppet scriptaliases => [

    {
      alias => '/myscript',
      path  => '/usr/share/myscript',
    },
    {
      aliasmatch => '^/foo(.*)',
      path       => '/usr/share/fooscripts$1',
    },
    {
      aliasmatch => '^/bar/(.*)',
      path       => '/usr/share/bar/wrapper.sh/$1',
    },
    {
      alias => '/neatscript',
      path  => '/usr/share/neatscript',
    },
    

    ] “‘ The ScriptAlias and ScriptAliasMatch directives are created in the order specified. As with [Alias and AliasMatch](#aliases) directives, specify more specific aliases before more general ones to avoid shadowing.

  • serveradmin (Optional[String]) (defaults to: undef)

    Specifies the email address Apache displays when it renders one of its error pages.

  • serveraliases (Variant[Array[String], String]) (defaults to: [])

    Sets the [ServerAliases](httpd.apache.org/docs/current/mod/core.html#serveralias) of the site.

  • servername (Optional[String]) (defaults to: $name)

    Sets the servername corresponding to the hostname you connect to the virtual host at.

  • setenv (Variant[Array[String], String]) (defaults to: [])

    Used by HTTPD to set environment variables for virtual hosts.<br /> Example: “‘ puppet apache::vhost { ’setenv.example.com’:

    setenv => ['SPECIAL_PATH /foo/bin'],
    

    } “‘

  • setenvif (Variant[Array[String], String]) (defaults to: [])

    Used by HTTPD to conditionally set environment variables for virtual hosts.

  • setenvifnocase (Variant[Array[String], String]) (defaults to: [])

    Used by HTTPD to conditionally set environment variables for virtual hosts (caseless matching).

  • suexec_user_group (Optional[Pattern[/^[\w-]+ [\w-]+$/]]) (defaults to: undef)

    Allows the spcification of user and group execution privileges for CGI programs through inclusion of the ‘mod_suexec` module.

  • vhost_name (String) (defaults to: '*')

    Enables name-based virtual hosting. If no IP is passed to the virtual host, but the virtual host is assigned a port, then the virtual host name is ‘vhost_name:port`. If the virtual host has no assigned IP or port, the virtual host name is set to the title of the resource.

  • virtual_docroot (Variant[Stdlib::Absolutepath, Boolean]) (defaults to: false)

    Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, ‘example.com` would map to `/var/www/example.com`. Note that the `DocumentRoot` directive will not be present even though there is a value set for `docroot` in the manifest. See [`virtual_use_default_docroot`](#virtual_use_default_docroot) to change this behavior. “` puppet apache::vhost { ’subdomain.loc’:

    vhost_name      => '*',
    port            => 80,
    virtual_docroot => '/var/www/%-2+',
    docroot         => '/var/www',
    serveraliases   => ['*.loc',],
    

    } “‘

  • virtual_use_default_docroot (Boolean) (defaults to: false)

    By default, when using ‘virtual_docroot`, the value of `docroot` is ignored. Setting this to `true` will mean both directives will be added to the configuration. “` puppet apache::vhost { ’subdomain.loc’:

    vhost_name                  => '*',
    port                        => 80,
    virtual_docroot             => '/var/www/%-2+',
    docroot                     => '/var/www',
    virtual_use_default_docroot => true,
    serveraliases               => ['*.loc',],
    

    } “‘

  • wsgi_daemon_process (Optional[Variant[String, Hash]]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process_options, wsgi_process_group, wsgi_script_aliases and wsgi_pass_authorization.<br /> A hash that sets the name of the WSGI daemon, accepting [certain keys](modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html).<br /> An example virtual host configuration with WSGI: “‘ puppet apache::vhost { ’wsgi.example.com’:

    port                        => 80,
    docroot                     => '/var/www/pythonapp',
    wsgi_daemon_process         => 'wsgi',
    wsgi_daemon_process_options =>
      { processes    => 2,
        threads      => 15,
        display-name => '%{GROUP}',
      },
    wsgi_process_group          => 'wsgi',
    wsgi_script_aliases         => { '/' => '/var/www/demo.wsgi' },
    wsgi_chunked_request        => 'On',
    

    } “‘

  • wsgi_daemon_process_options (Optional[Hash]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_process_group, wsgi_script_aliases and wsgi_pass_authorization.<br /> Sets the group ID that the virtual host runs under.

  • wsgi_application_group (Optional[String]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization.<br /> This parameter defines the [‘WSGIApplicationGroup directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html), thus allowing you to specify which application group the WSGI application belongs to, with all WSGI applications within the same group executing within the context of the same Python sub interpreter.

  • wsgi_import_script (Optional[String]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization.<br /> This parameter defines the [‘WSGIImportScript directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), which can be used in order to specify a script file to be loaded upon a process starting.

  • wsgi_import_script_options (Optional[Hash]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization.<br /> This parameter defines the [‘WSGIImportScript directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), which can be used in order to specify a script file to be loaded upon a process starting.<br /> Specifies the process and aplication groups of the script.

  • wsgi_chunked_request (Optional[Enum['On', 'Off']]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization.<br /> This parameter defines the [‘WSGIChunkedRequest directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIChunkedRequest.html), allowing you to enable support for chunked request content.<br /> WSGI is technically incapable of supporting chunked request content without all chunked request content having first been read in and buffered.

  • wsgi_process_group (Optional[String]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_script_aliases and wsgi_pass_authorization.<br /> Requires a hash of web paths to filesystem ‘.wsgi paths/`.

  • wsgi_script_aliases (Optional[Hash]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization.<br /> Uses the WSGI application to handle authorization instead of Apache when set to ‘On`.<br /> For more information, see mod_wsgi’s [WSGIPassAuthorization documentation](modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html).

  • wsgi_script_aliases_match (Optional[Hash]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization.<br /> Uses the WSGI application to handle authorization instead of Apache when set to ‘On`.<br /> This directive is similar to `wsgi_script_aliases`, but makes use of regular expressions in place of simple prefix matching.<br /> For more information, see mod_wsgi’s [WSGIPassAuthorization documentation](modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html).

  • wsgi_pass_authorization (Optional[Enum['on', 'off', 'On', 'Off']]) (defaults to: undef)

    Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group and wsgi_script_aliases.<br /> Enables support for chunked requests.

  • directories (Optional[Array[Hash]]) (defaults to: undef)

    The ‘directories` parameter within the `apache::vhost` class passes an array of hashes to the virtual host to create [Directory](httpd.apache.org/docs/current/mod/core.html#directory), [File](httpd.apache.org/docs/current/mod/core.html#files), and [Location](httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, `< Directory /path/to/directory>…< /Directory>`.<br /> The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the `directory`, `files`, and `location` providers, or a regex for the `directorymatch`, `filesmatch`, or `locationmatch` providers. Each hash passed to `directories` must contain `path` as one of the keys.<br /> The `provider` key is optional. If missing, this key defaults to `directory`.

    Values: `directory`, `files`, `proxy`, `location`, `directorymatch`, `filesmatch`,
    

    ‘proxymatch` or `locationmatch`. If you set `provider` to `directorymatch`, it uses the keyword `DirectoryMatch` in the Apache config file.<br /> proxy_pass and proxy_pass_match are supported like their parameters to apache::vhost, and will be rendered without their path parameter as this will be inherited from the Location/LocationMatch container. An example use of `directories`: “` puppet apache::vhost { ’files.example.net’:

    docroot     => '/var/www/files',
    directories => [
      { 'path'     => '/var/www/files',
        'provider' => 'files',
        'deny'     => 'from all',
      },
      { 'path'           => '/var/www/html',
        'provider'       => 'directory',
        'options'        => ['-Indexes'],
        'allow_override' => ['All'],
      },
    ],
    

    } “‘ > Note: At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter.<br /> Available handlers, represented as keys, should be placed within the `directory`, `files`, or `location` hashes. This looks like “` puppet apache::vhost { ’sample.example.net’:

    docroot     => '/path/to/directory',
    directories => [ { path => '/path/to/directory', handler => value } ],
    

    } “‘ Any handlers you do not set in these hashes are considered `undefined` within Puppet and are not added to the virtual host, resulting in the module using their default values.

  • custom_fragment (Optional[String]) (defaults to: undef)

    Pass a string of custom configuration directives to be placed at the end of the directory configuration. “‘ puppet apache::vhost { ’monitor’:

    ...
    directories => [
      {
        path => '/path/to/directory',
        custom_fragment => '
    

    <Location /balancer-manager>

    SetHandler balancer-manager
    Order allow,deny
    Allow from all
    

    </Location> <Location /server-status>

    SetHandler server-status
    Order allow,deny
    Allow from all
    

    </Location> ProxyStatus On’,

      },
    ]
    

    } “‘

  • headers (Array[String[1]]) (defaults to: [])

    Adds lines for [Header](httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. “‘ puppet apache::vhost { ’sample.example.net’:

    docroot     => '/path/to/directory',
    directories => [
      {
        path    => '/path/to/directory',
        headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"',
      },
    ],
    

    } “‘

  • shib_compat_valid_user (Optional[String]) (defaults to: undef)

    Default is Off, matching the behavior prior to this command’s existence. Addresses a conflict when using Shibboleth in conjunction with other auth/auth modules by restoring ‘standard` Apache behavior when processing the `valid-user` and `user` Require rules. See the [`mod_shib`documentation](wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions), and [NativeSPhtaccess](wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess) topic for more details. This key is disabled if `apache::mod::shib` is not defined.

  • ssl_options (Optional[Variant[Array[String], String]]) (defaults to: undef)

    String or list of [SSLOptions](httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the virtual host. “‘ puppet apache::vhost { ’secure.example.net’:

    docroot     => '/path/to/directory',
    directories => [
      { path        => '/path/to/directory',
        ssl_options => '+ExportCertData',
      },
      { path        => '/path/to/different/dir',
        ssl_options => ['-StdEnvVars', '+ExportCertData'],
      },
    ],
    

    } “‘

  • additional_includes (Variant[Array[String], String]) (defaults to: [])

    Specifies paths to additional static, specific Apache configuration files in virtual host directories. “‘ puppet apache::vhost { ’sample.example.net’:

    docroot     => '/path/to/directory',
    directories => [
      { path  => '/path/to/different/dir',
        additional_includes => ['/custom/path/includes', '/custom/path/another_includes',],
      },
    ],
    

    } “‘

  • gssapi
  • ssl (Boolean) (defaults to: false)

    Enables SSL for the virtual host. SSL virtual hosts only respond to HTTPS queries.

  • ssl_ca (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_ca)

    Specifies the SSL certificate authority to be used to verify client certificates used for authentication.

  • ssl_cert (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_cert)

    Specifies the SSL certification.

  • ssl_protocol (Optional[Variant[Array[String], String]]) (defaults to: undef)

    Specifies [SSLProtocol](httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Expects an array or space separated string of accepted protocols.

  • ssl_cipher (Optional[Variant[Array[String], String]]) (defaults to: undef)
  • ssl_honorcipherorder (Variant[Boolean, Enum['on', 'On', 'off', 'Off'], Undef]) (defaults to: undef)

    Sets [SSLHonorCipherOrder](httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), to cause Apache to use the server’s preferred order of ciphers rather than the client’s preferred order.

  • ssl_certs_dir (Optional[Stdlib::Absolutepath]) (defaults to: $apache::params::ssl_certs_dir)

    Specifies the location of the SSL certification directory to verify client certs.

  • ssl_chain (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_chain)

    Specifies the SSL chain. This default works out of the box, but it must be updated in the base ‘apache` class with your specific certificate information before being used in production.

  • ssl_crl (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_crl)

    Specifies the certificate revocation list to use. (This default works out of the box but must be updated in the base ‘apache` class with your specific certificate information before being used in production.)

  • ssl_crl_path (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_crl_path)

    Specifies the location of the certificate revocation list to verify certificates for client authentication with. (This default works out of the box but must be updated in the base ‘apache` class with your specific certificate information before being used in production.)

  • ssl_crl_check (Optional[String]) (defaults to: $apache::default_ssl_crl_check)

    Sets the certificate revocation check level via the [SSLCARevocationCheck directive](httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck) for ssl client authentication. The default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on older versions.

  • ssl_key (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_key)

    Specifies the SSL key.<br /> Defaults are based on your operating system. Default work out of the box but must be updated in the base ‘apache` class with your specific certificate information before being used in production.

  • ssl_verify_client (Optional[Enum['none', 'optional', 'require', 'optional_no_ca']]) (defaults to: undef)

    Sets the [SSLVerifyClient](httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. “‘ puppet apache::vhost { ’sample.example.net’:

    ...
    ssl_verify_client => 'optional',
    

    } “‘

  • ssl_verify_depth (Optional[Integer]) (defaults to: undef)

    Sets the [SSLVerifyDepth](httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) directive, which specifies the maximum depth of CA certificates in client certificate verification. You must set ‘ssl_verify_client` for it to take effect. “` puppet apache::vhost { ’sample.example.net’:

    ...
    ssl_verify_client => 'require',
    ssl_verify_depth => 1,
    

    } “‘

  • ssl_proxy_protocol (Optional[String]) (defaults to: undef)

    Sets the [SSLProxyProtocol](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol) directive, which controls which SSL protocol flavors ‘mod_ssl` should use when establishing its server environment for proxy. It connects to servers using only one of the provided protocols.

  • ssl_proxy_verify (Optional[Enum['none', 'optional', 'require', 'optional_no_ca']]) (defaults to: undef)

    Sets the [SSLProxyVerify](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify) directive, which configures certificate verification of the remote server when a proxy is configured to forward requests to a remote SSL server.

  • ssl_proxy_verify_depth (Optional[Integer[0]]) (defaults to: undef)

    Sets the [SSLProxyVerifyDepth](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverifydepth) directive, which configures how deeply mod_ssl should verify before deciding that the remote server does not have a valid certificate.<br /> A depth of 0 means that only self-signed remote server certificates are accepted, the default depth of 1 means the remote server certificate can be self-signed or signed by a CA that is directly known to the server.

  • ssl_proxy_cipher_suite (Optional[String]) (defaults to: undef)

    Sets the [SSLProxyCipherSuite](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite) directive, which controls cipher suites supported for ssl proxy traffic.

  • ssl_proxy_ca_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets the [SSLProxyCACertificateFile](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycacertificatefile) directive, which specifies an all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose remote servers you deal with. These are used for Remote Server Authentication. This file should be a concatenation of the PEM-encoded certificate files in order of preference.

  • ssl_proxy_machine_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets the [SSLProxyMachineCertificateFile](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers. This file should be a concatenation of the PEM-encoded certificate files in order of preference. “‘ puppet apache::vhost { ’sample.example.net’:

    ...
    ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem',
    

    } “‘

  • ssl_proxy_machine_cert_chain (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Sets the [SSLProxyMachineCertificateChainFile](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatechainfile) directive, which specifies an all-in-one file where you keep the certificate chain for all of the client certs in use. This directive will be needed if the remote server presents a list of CA certificates that are not direct signers of one of the configured client certificates. This referenced file is simply the concatenation of the various PEM-encoded certificate files. Upon startup, each client certificate configured will be examined and a chain of trust will be constructed.

  • ssl_proxy_check_peer_cn (Optional[Enum['on', 'off']]) (defaults to: undef)

    Sets the [SSLProxyCheckPeerCN](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) directive, which specifies whether the remote server certificate’s CN field is compared against the hostname of the request URL.

  • ssl_proxy_check_peer_name (Optional[Enum['on', 'off']]) (defaults to: undef)

    Sets the [SSLProxyCheckPeerName](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) directive, which specifies whether the remote server certificate’s CN field is compared against the hostname of the request URL.

  • ssl_proxy_check_peer_expire (Optional[Enum['on', 'off']]) (defaults to: undef)

    Sets the [SSLProxyCheckPeerExpire](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire) directive, which specifies whether the remote server certificate is checked for expiration or not.

  • ssl_openssl_conf_cmd (Optional[String]) (defaults to: undef)

    Sets the [SSLOpenSSLConfCmd](httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters.

  • ssl_proxyengine (Boolean) (defaults to: false)

    Specifies whether or not to use [SSLProxyEngine](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine).

  • ssl_stapling (Optional[Boolean]) (defaults to: undef)

    Specifies whether or not to use [SSLUseStapling](httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling). By default, uses what is set globally.<br /> This parameter only applies to Apache 2.4 or higher and is ignored on older versions.

  • ssl_stapling_timeout (Optional[Integer]) (defaults to: undef)

    Can be used to set the [SSLStaplingResponderTimeout](httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingrespondertimeout) directive.<br /> This parameter only applies to Apache 2.4 or higher and is ignored on older versions.

  • ssl_stapling_return_errors (Optional[Enum['on', 'off']]) (defaults to: undef)

    Can be used to set the [SSLStaplingReturnResponderErrors](httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive.<br /> This parameter only applies to Apache 2.4 or higher and is ignored on older versions.

  • ssl_user_name (Optional[String]) (defaults to: undef)
  • ssl_reload_on_change (Boolean) (defaults to: $apache::default_ssl_reload_on_change)

    Enable reloading of apache if the content of ssl files have changed.

  • use_canonical_name (Optional[Enum['On', 'on', 'Off', 'off', 'DNS', 'dns']]) (defaults to: undef)

    Specifies whether to use the [‘UseCanonicalName directive`](httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname), which allows you to configure how the server determines it’s own name and port.

  • define (Hash) (defaults to: {})

    this lets you define configuration variables inside a vhost using [‘Define`](httpd.apache.org/docs/2.4/mod/core.html#define), these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost.

  • auth_oidc (Boolean) (defaults to: false)

    Enable ‘mod_auth_openidc` parameters for OpenID Connect authentication.

  • oidc_settings (Apache::OIDCSettings) (defaults to: {})

    An Apache::OIDCSettings Struct containing (mod_auth_openidc settings).

  • limitreqfields (Optional[Integer]) (defaults to: undef)

    The ‘limitreqfields` parameter sets the maximum number of request header fields in an HTTP request. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks. The value should be increased if normal clients see an error response from the server that indicates too many fields were sent in the request.

  • limitreqfieldsize (Optional[Integer]) (defaults to: undef)

    The ‘limitreqfieldsize` parameter sets the maximum ammount of bytes that will be allowed within a request header.

  • limitreqline (Optional[Integer]) (defaults to: undef)

    Limit the size of the HTTP request line that will be accepted from the client This directive sets the number of bytes that will be allowed on the HTTP request-line. The LimitRequestLine directive allows the server administrator to set the limit on the allowed size of a client’s HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the LimitRequestLine directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a GET request.

  • limitreqbody (Optional[Integer]) (defaults to: undef)

    Restricts the total size of the HTTP request body sent from the client The LimitRequestBody directive allows the user to set a limit on the allowed size of an HTTP request message body within the context in which the directive is given (server, per-directory, per-file or per-location). If the client request exceeds that limit, the server will return an error response instead of servicing the request.

  • use_servername_for_filenames (Boolean) (defaults to: false)

    When set to true, default log / config file names will be derived from the sanitized value of the $servername parameter. When set to false (default), the existing behaviour of using the $name parameter will remain.

  • use_port_for_filenames (Boolean) (defaults to: false)

    When set to true and use_servername_for_filenames is also set to true, default log / config file names will be derived from the sanitized value of both the $servername and $port parameters. When set to false (default), the port is not included in the file names and may lead to duplicate declarations if two virtual hosts use the same domain.

  • mdomain (Optional[Variant[Boolean, String]]) (defaults to: undef)

    All the names in the list are managed as one Managed Domain (MD). mod_md will request one single certificate that is valid for all these names.

  • proxy_requests (Boolean) (defaults to: false)

    Whether to accept proxy requests

  • userdir (Optional[Variant[String[1], Array[String[1]]]]) (defaults to: undef)

    Instances of apache::mod::userdir



1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
# File 'manifests/vhost.pp', line 1691

define apache::vhost (
  Variant[Stdlib::Absolutepath, Boolean] $docroot,
  Boolean $manage_docroot                                                             = true,
  Variant[Stdlib::Absolutepath, Boolean] $virtual_docroot                             = false,
  Boolean $virtual_use_default_docroot                                                = false,
  Optional[Variant[Array[Stdlib::Port], Stdlib::Port]] $port                          = undef,
  Optional[
    Variant[
      Array[Variant[Stdlib::IP::Address, Enum['*']]],
      Variant[Stdlib::IP::Address, Enum['*']]
    ]
  ] $ip                                                                               = undef,
  Boolean $ip_based                                                                   = false,
  Boolean $add_listen                                                                 = true,
  String $docroot_owner                                                               = 'root',
  String $docroot_group                                                               = $apache::params::root_group,
  Optional[Stdlib::Filemode] $docroot_mode                                            = undef,
  Array[Enum['h2', 'h2c', 'http/1.1']] $protocols                                     = [],
  Optional[Boolean] $protocols_honor_order                                            = undef,
  Optional[String] $serveradmin                                                       = undef,
  Boolean $ssl                                                                        = false,
  Optional[Stdlib::Absolutepath] $ssl_cert                                            = $apache::default_ssl_cert,
  Optional[Stdlib::Absolutepath] $ssl_key                                             = $apache::default_ssl_key,
  Optional[Stdlib::Absolutepath] $ssl_chain                                           = $apache::default_ssl_chain,
  Optional[Stdlib::Absolutepath] $ssl_ca                                              = $apache::default_ssl_ca,
  Optional[Stdlib::Absolutepath] $ssl_crl_path                                        = $apache::default_ssl_crl_path,
  Optional[Stdlib::Absolutepath] $ssl_crl                                             = $apache::default_ssl_crl,
  Optional[String] $ssl_crl_check                                                     = $apache::default_ssl_crl_check,
  Optional[Stdlib::Absolutepath] $ssl_certs_dir                                       = $apache::params::ssl_certs_dir,
  Boolean $ssl_reload_on_change                                                       = $apache::default_ssl_reload_on_change,
  Optional[Variant[Array[String], String]] $ssl_protocol                              = undef,
  Optional[Variant[Array[String], String]] $ssl_cipher                                = undef,
  Variant[Boolean, Enum['on', 'On', 'off', 'Off'], Undef] $ssl_honorcipherorder       = undef,
  Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_verify_client  = undef,
  Optional[Integer] $ssl_verify_depth                                                 = undef,
  Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_proxy_verify   = undef,
  Optional[Integer[0]] $ssl_proxy_verify_depth                                        = undef,
  Optional[Stdlib::Absolutepath] $ssl_proxy_ca_cert                                   = undef,
  Optional[Enum['on', 'off']] $ssl_proxy_check_peer_cn                                = undef,
  Optional[Enum['on', 'off']] $ssl_proxy_check_peer_name                              = undef,
  Optional[Enum['on', 'off']] $ssl_proxy_check_peer_expire                            = undef,
  Optional[Stdlib::Absolutepath] $ssl_proxy_machine_cert                              = undef,
  Optional[Stdlib::Absolutepath] $ssl_proxy_machine_cert_chain                        = undef,
  Optional[String] $ssl_proxy_cipher_suite                                            = undef,
  Optional[String] $ssl_proxy_protocol                                                = undef,
  Optional[Variant[Array[String], String]] $ssl_options                               = undef,
  Optional[String] $ssl_openssl_conf_cmd                                              = undef,
  Boolean $ssl_proxyengine                                                            = false,
  Optional[Boolean] $ssl_stapling                                                     = undef,
  Optional[Integer] $ssl_stapling_timeout                                             = undef,
  Optional[Enum['on', 'off']] $ssl_stapling_return_errors                             = undef,
  Optional[String] $ssl_user_name                                                     = undef,
  Optional[Apache::Vhost::Priority] $priority                                         = undef,
  Boolean $default_vhost                                                              = false,
  Optional[String] $servername                                                        = $name,
  Variant[Array[String], String] $serveraliases                                       = [],
  Array[String] $options                                                              = ['Indexes', 'FollowSymLinks', 'MultiViews'],
  Array[String] $override                                                             = ['None'],
  Optional[String] $directoryindex                                                    = undef,
  String $vhost_name                                                                  = '*',
  Stdlib::Absolutepath $logroot                                                       = $apache::logroot,
  Enum['directory', 'absent'] $logroot_ensure                                         = 'directory',
  Optional[Stdlib::Filemode] $logroot_mode                                            = undef,
  Optional[String] $logroot_owner                                                     = undef,
  Optional[String] $logroot_group                                                     = undef,
  Optional[Apache::LogLevel] $log_level                                               = undef,
  Boolean $access_log                                                                 = true,
  Optional[String[1]] $access_log_file                                                = undef,
  Optional[String[1]] $access_log_pipe                                                = undef,
  Optional[Variant[String, Boolean]] $access_log_syslog                               = undef,
  Optional[String[1]] $access_log_format                                              = undef,
  Optional[Variant[Boolean, String]] $access_log_env_var                              = undef,
  Optional[Array[Hash]] $access_logs                                                  = undef,
  Boolean $use_servername_for_filenames                                               = false,
  Boolean $use_port_for_filenames                                                     = false,
  Array[Hash[String[1], String[1]]] $aliases                                          = [],
  Optional[Array[Hash]] $directories                                                  = undef,
  Boolean $error_log                                                                  = true,
  Optional[String] $error_log_file                                                    = undef,
  Optional[String] $error_log_pipe                                                    = undef,
  Optional[Variant[String, Boolean]] $error_log_syslog                                = undef,
  Optional[
    Array[
      Variant[
        String,
        Hash[String, Enum['connection', 'request']]
      ]
    ]
  ] $error_log_format                                                                 = undef,
  Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]] $http_protocol_options = undef,
  Optional[Variant[String, Boolean]] $modsec_audit_log                                = undef,
  Optional[String] $modsec_audit_log_file                                             = undef,
  Optional[String] $modsec_audit_log_pipe                                             = undef,
  Variant[Array[Hash], String] $error_documents                                       = [],
  Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]] $fallbackresource         = undef,
  Optional[String] $scriptalias                                                       = undef,
  Array[Hash] $scriptaliases                                                          = [],
  Optional[Integer] $limitreqfieldsize                                                = undef,
  Optional[Integer] $limitreqfields                                                   = undef,
  Optional[Integer] $limitreqline                                                     = undef,
  Optional[Integer] $limitreqbody                                                     = undef,
  Optional[String] $proxy_dest                                                        = undef,
  Optional[String] $proxy_dest_match                                                  = undef,
  Optional[String] $proxy_dest_reverse_match                                          = undef,
  Optional[Variant[Array[Hash], Hash]] $proxy_pass                                    = undef,
  Optional[Variant[Array[Hash], Hash]] $proxy_pass_match                              = undef,
  Boolean $proxy_requests                                                             = false,
  Hash $php_flags                                                                     = {},
  Hash $php_values                                                                    = {},
  Variant[Array[String], Hash] $php_admin_flags                                       = {},
  Variant[Array[String], Hash] $php_admin_values                                      = {},
  Variant[Array[String], String] $no_proxy_uris                                       = [],
  Variant[Array[String], String] $no_proxy_uris_match                                 = [],
  Boolean $proxy_preserve_host                                                        = false,
  Optional[Variant[String, Boolean]] $proxy_add_headers                               = undef,
  Boolean $proxy_error_override                                                       = false,
  Variant[String, Array[String]] $redirect_source                                     = '/',
  Optional[Variant[Array[String], String]] $redirect_dest                             = undef,
  Optional[Variant[Array[String], String]] $redirect_status                           = undef,
  Optional[Variant[Array[String], String]] $redirectmatch_status                      = undef,
  Optional[Variant[Array[String], String]] $redirectmatch_regexp                      = undef,
  Optional[Variant[Array[String], String]] $redirectmatch_dest                        = undef,
  Array[String[1]] $headers                                                           = [],
  Array[String[1]] $request_headers                                                   = [],
  Array[String[1]] $filters                                                           = [],
  Array[Hash] $rewrites                                                               = [],
  Optional[String[1]] $rewrite_base                                                   = undef,
  Optional[Variant[Array[String[1]], String[1]]] $rewrite_rule                        = undef,
  Array[String[1]] $rewrite_cond                                                      = [],
  Boolean $rewrite_inherit                                                            = false,
  Variant[Array[String], String] $setenv                                              = [],
  Variant[Array[String], String] $setenvif                                            = [],
  Variant[Array[String], String] $setenvifnocase                                      = [],
  Variant[Array[String], String] $block                                               = [],
  Enum['absent', 'present'] $ensure                                                   = 'present',
  Optional[String] $wsgi_application_group                                            = undef,
  Optional[Variant[String, Hash]] $wsgi_daemon_process                                = undef,
  Optional[Hash] $wsgi_daemon_process_options                                         = undef,
  Optional[String] $wsgi_import_script                                                = undef,
  Optional[Hash] $wsgi_import_script_options                                          = undef,
  Optional[String] $wsgi_process_group                                                = undef,
  Optional[Hash] $wsgi_script_aliases_match                                           = undef,
  Optional[Hash] $wsgi_script_aliases                                                 = undef,
  Optional[Enum['on', 'off', 'On', 'Off']] $wsgi_pass_authorization                   = undef,
  Optional[Enum['On', 'Off']] $wsgi_chunked_request                                   = undef,
  Optional[String] $custom_fragment                                                   = undef,
  Optional[Hash] $itk                                                                 = undef,
  Optional[String] $action                                                            = undef,
  Variant[Array[String], String] $additional_includes                                 = [],
  Boolean $use_optional_includes                                                      = $apache::use_optional_includes,
  Optional[Enum['on', 'off', 'nodecode']] $allow_encoded_slashes                      = undef,
  Optional[Pattern[/^[\w-]+ [\w-]+$/]] $suexec_user_group                             = undef,

  Optional[Boolean] $h2_copy_files                                                    = undef,
  Optional[Boolean] $h2_direct                                                        = undef,
  Optional[Boolean] $h2_early_hints                                                   = undef,
  Optional[Integer] $h2_max_session_streams                                           = undef,
  Optional[Boolean] $h2_modern_tls_only                                               = undef,
  Optional[Boolean] $h2_push                                                          = undef,
  Optional[Integer] $h2_push_diary_size                                               = undef,
  Array[String]     $h2_push_priority                                                 = [],
  Array[String]     $h2_push_resource                                                 = [],
  Optional[Boolean] $h2_serialize_headers                                             = undef,
  Optional[Integer] $h2_stream_max_mem_size                                           = undef,
  Optional[Integer] $h2_tls_cool_down_secs                                            = undef,
  Optional[Integer] $h2_tls_warm_up_size                                              = undef,
  Optional[Boolean] $h2_upgrade                                                       = undef,
  Optional[Integer] $h2_window_size                                                   = undef,

  Optional[Boolean] $passenger_enabled                                                = undef,
  Optional[String] $passenger_base_uri                                                = undef,
  Optional[Stdlib::Absolutepath] $passenger_ruby                                      = undef,
  Optional[Stdlib::Absolutepath] $passenger_python                                    = undef,
  Optional[Stdlib::Absolutepath] $passenger_nodejs                                    = undef,
  Optional[String] $passenger_meteor_app_settings                                     = undef,
  Optional[String] $passenger_app_env                                                 = undef,
  Optional[Stdlib::Absolutepath] $passenger_app_root                                  = undef,
  Optional[String] $passenger_app_group_name                                          = undef,
  Optional[String] $passenger_app_start_command                                       = undef,
  Optional[Enum['meteor', 'node', 'rack', 'wsgi']] $passenger_app_type                = undef,
  Optional[String] $passenger_startup_file                                            = undef,
  Optional[String] $passenger_restart_dir                                             = undef,
  Optional[Enum['direct', 'smart']] $passenger_spawn_method                           = undef,
  Optional[Boolean] $passenger_load_shell_envvars                                     = undef,
  Optional[Boolean] $passenger_preload_bundler                                        = undef,
  Optional[Boolean] $passenger_rolling_restarts                                       = undef,
  Optional[Boolean] $passenger_resist_deployment_errors                               = undef,
  Optional[String] $passenger_user                                                    = undef,
  Optional[String] $passenger_group                                                   = undef,
  Optional[Boolean] $passenger_friendly_error_pages                                   = undef,
  Optional[Integer] $passenger_min_instances                                          = undef,
  Optional[Integer] $passenger_max_instances                                          = undef,
  Optional[Integer] $passenger_max_preloader_idle_time                                = undef,
  Optional[Integer] $passenger_force_max_concurrent_requests_per_process              = undef,
  Optional[Integer] $passenger_start_timeout                                          = undef,
  Optional[Enum['process', 'thread']] $passenger_concurrency_model                    = undef,
  Optional[Integer] $passenger_thread_count                                           = undef,
  Optional[Integer] $passenger_max_requests                                           = undef,
  Optional[Integer] $passenger_max_request_time                                       = undef,
  Optional[Integer] $passenger_memory_limit                                           = undef,
  Optional[Integer] $passenger_stat_throttle_rate                                     = undef,
  Optional[Variant[String, Array[String]]] $passenger_pre_start                       = undef,
  Optional[Boolean] $passenger_high_performance                                       = undef,
  Optional[Boolean] $passenger_buffer_upload                                          = undef,
  Optional[Boolean] $passenger_buffer_response                                        = undef,
  Optional[Boolean] $passenger_error_override                                         = undef,
  Optional[Integer] $passenger_max_request_queue_size                                 = undef,
  Optional[Integer] $passenger_max_request_queue_time                                 = undef,
  Optional[Boolean] $passenger_sticky_sessions                                        = undef,
  Optional[String] $passenger_sticky_sessions_cookie_name                             = undef,
  Optional[String] $passenger_sticky_sessions_cookie_attributes                       = undef,
  Optional[Boolean] $passenger_allow_encoded_slashes                                  = undef,
  Optional[String] $passenger_app_log_file                                            = undef,
  Optional[Boolean] $passenger_debugger                                               = undef,
  Optional[Integer] $passenger_lve_min_uid                                            = undef,
  Optional[String] $add_default_charset                                               = undef,
  Boolean $modsec_disable_vhost                                                       = false,
  Optional[Variant[Hash, Array]] $modsec_disable_ids                                  = undef,
  Array[String[1]] $modsec_disable_ips                                                = [],
  Optional[Variant[Hash, Array]] $modsec_disable_msgs                                 = undef,
  Optional[Variant[Hash, Array]] $modsec_disable_tags                                 = undef,
  Optional[String] $modsec_body_limit                                                 = undef,
  Optional[Integer[1, default]] $modsec_inbound_anomaly_threshold                     = undef,
  Optional[Integer[1, default]] $modsec_outbound_anomaly_threshold                    = undef,
  Optional[String] $modsec_allowed_methods                                            = undef,
  Array[Hash] $jk_mounts                                                              = [],
  Boolean $auth_kerb                                                                  = false,
  Enum['on', 'off'] $krb_method_negotiate                                             = 'on',
  Enum['on', 'off'] $krb_method_k5passwd                                              = 'on',
  Enum['on', 'off'] $krb_authoritative                                                = 'on',
  Array[String] $krb_auth_realms                                                      = [],
  Optional[String] $krb_5keytab                                                       = undef,
  Optional[Enum['on', 'off']] $krb_local_user_mapping                                 = undef,
  Enum['on', 'off'] $krb_verify_kdc                                                   = 'on',
  String $krb_servicename                                                             = 'HTTP',
  Enum['on', 'off'] $krb_save_credentials                                             = 'off',
  Optional[Enum['on', 'off']] $keepalive                                              = undef,
  Optional[Variant[Integer, String]] $keepalive_timeout                               = undef,
  Optional[Variant[Integer, String]] $max_keepalive_requests                          = undef,
  Optional[String] $cas_attribute_prefix                                              = undef,
  Optional[String] $cas_attribute_delimiter                                           = undef,
  Optional[String] $cas_root_proxied_as                                               = undef,
  Boolean $cas_scrub_request_headers                                                  = false,
  Boolean $cas_sso_enabled                                                            = false,
  Optional[String] $cas_login_url                                                     = undef,
  Optional[String] $cas_validate_url                                                  = undef,
  Boolean $cas_validate_saml                                                          = false,
  Optional[String] $cas_cookie_path                                                   = undef,
  Optional[String] $shib_compat_valid_user                                            = undef,
  Optional[Enum['On', 'on', 'Off', 'off', 'DNS', 'dns']] $use_canonical_name          = undef,
  Optional[Variant[String, Array[String]]] $comment                                   = undef,
  Hash $define                                                                        = {},
  Boolean $auth_oidc                                                                  = false,
  Apache::OIDCSettings $oidc_settings                                                 = {},
  Optional[Variant[Boolean, String]] $mdomain                                         = undef,
  Optional[Variant[String[1], Array[String[1]]]] $userdir                             = undef,
) {
  # The base class must be included first because it is used by parameter defaults
  if ! defined(Class['apache']) {
    fail('You must include the apache base class before using any apache defined resources')
  }

  $apache_name = $apache::apache_name

  # Input validation begins

  if $access_log_file and $access_log_pipe {
    fail("Apache::Vhost[${name}]: 'access_log_file' and 'access_log_pipe' cannot be defined at the same time")
  }

  if $error_log_file and $error_log_pipe {
    fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time")
  }

  if $modsec_audit_log_file and $modsec_audit_log_pipe {
    fail("Apache::Vhost[${name}]: 'modsec_audit_log_file' and 'modsec_audit_log_pipe' cannot be defined at the same time")
  }

  # Input validation ends

  if $ssl_honorcipherorder =~ Boolean or $ssl_honorcipherorder == undef {
    $_ssl_honorcipherorder = $ssl_honorcipherorder
  } else {
    $_ssl_honorcipherorder = $ssl_honorcipherorder ? {
      'on'    => true,
      'On'    => true,
      'off'   => false,
      'Off'   => false,
      default => true,
    }
  }

  # Configure the defaultness of a vhost
  if $priority {
    $priority_real = "${priority}-"
  } elsif $priority == false {
    $priority_real = ''
  } elsif $default_vhost {
    $priority_real = '10-'
  } else {
    $priority_real = '25-'
  }

  # https://httpd.apache.org/docs/2.4/fr/mod/core.html#servername
  # Syntax:	ServerName [scheme://]domain-name|ip-address[:port]
  # Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload
  # appliance.
  # When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName
  # directive to make sure that the server generates the correct self-referential URLs.
  $normalized_servername = regsubst($servername, '(https?:\/\/)?([a-z0-9\/%_+.,#?!@&=-]+)(:?\d+)?', '\2', 'G')

  # IAC-1186: A number of configuration and log file names are generated using the $name parameter. It is possible for
  # the $name parameter to contain spaces, which could then be transferred to the log / config filenames. Although
  # POSIX compliant, this can be cumbersome.
  #
  # It seems more appropriate to use the $servername parameter to derive default log / config filenames from. We should
  # also perform some sanitiation on the $servername parameter to strip spaces from it, as it defaults to the value of
  # $name, should $servername NOT be defined.
  #
  # Because a single hostname may be use by multiple virtual hosts listening on different ports, the $port paramter can
  # optionaly be used to avoid duplicate resources.
  $filename = $use_servername_for_filenames ? {
    true => $use_port_for_filenames ? {
      true  => regsubst("${normalized_servername}-${port}", ' ', '_', 'G'),
      false => regsubst($normalized_servername, ' ', '_', 'G'),
    },
    false => $name,
  }

  # This ensures that the docroot exists
  # But enables it to be specified across multiple vhost resources
  if $manage_docroot and $docroot and ! defined(File[$docroot]) {
    file { $docroot:
      ensure  => directory,
      owner   => $docroot_owner,
      group   => $docroot_group,
      mode    => $docroot_mode,
      require => Package['httpd'],
      before  => Concat["${priority_real}${filename}.conf"],
    }
  }

  # Same as above, but for logroot
  if ! defined(File[$logroot]) {
    file { $logroot:
      ensure  => $logroot_ensure,
      owner   => $logroot_owner,
      group   => $logroot_group,
      mode    => $logroot_mode,
      require => Package['httpd'],
      before  => Concat["${priority_real}${filename}.conf"],
      notify  => Class['Apache::Service'],
    }
  }

  # Is apache::mod::shib enabled (or apache::mod['shib2'])
  $shibboleth_enabled = defined(Apache::Mod['shib2'])

  # Is apache::mod::cas enabled (or apache::mod['cas'])
  $cas_enabled = defined(Apache::Mod['auth_cas'])

  if $access_log and !$access_logs {
    $_access_logs = [{
        'file'        => $access_log_file,
        'pipe'        => $access_log_pipe,
        'syslog'      => $access_log_syslog,
        'format'      => $access_log_format,
        'env'         => $access_log_env_var
    }]
  } elsif $access_logs {
    $_access_logs = $access_logs
  } else {
    $_access_logs = []
  }

  if $error_log_file {
    if $error_log_file =~ /^\// {
      # Absolute path provided - don't prepend $logroot
      $error_log_destination = $error_log_file
    } else {
      $error_log_destination = "${logroot}/${error_log_file}"
    }
  } elsif $error_log_pipe {
    $error_log_destination = $error_log_pipe
  } elsif $error_log_syslog {
    $error_log_destination = $error_log_syslog
  } else {
    if $ssl {
      $error_log_destination = "${logroot}/${filename}_error_ssl.log"
    } else {
      $error_log_destination = "${logroot}/${filename}_error.log"
    }
  }

  if $modsec_audit_log == false {
    $modsec_audit_log_destination = undef
  } elsif $modsec_audit_log_file {
    $modsec_audit_log_destination = "${logroot}/${modsec_audit_log_file}"
  } elsif $modsec_audit_log_pipe {
    $modsec_audit_log_destination = $modsec_audit_log_pipe
  } elsif $modsec_audit_log {
    if $ssl {
      $modsec_audit_log_destination = "${logroot}/${filename}_security_ssl.log"
    } else {
      $modsec_audit_log_destination = "${logroot}/${filename}_security.log"
    }
  } else {
    $modsec_audit_log_destination = undef
  }

  if $ip {
    $_ip = any2array(enclose_ipv6($ip))
    if $port {
      $_port = any2array($port)
      $listen_addr_port = split(inline_template("<%= @_ip.product(@_port).map {|x| x.join(':')  }.join(',')%>"), ',')
      $nvh_addr_port = split(inline_template("<%= @_ip.product(@_port).map {|x| x.join(':')  }.join(',')%>"), ',')
    } else {
      $listen_addr_port = undef
      $nvh_addr_port = $_ip
      if ! $servername and ! $ip_based {
        fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters for name-based vhosts")
      }
    }
  } else {
    if $port {
      $listen_addr_port = $port
      $nvh_addr_port = prefix(any2array($port), "${vhost_name}:")
    } else {
      $listen_addr_port = undef
      $nvh_addr_port = $name
      if ! $servername and $servername != '' {
        fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters, and/or 'servername' parameter")
      }
    }
  }

  if $add_listen {
    if $ip and defined(Apache::Listen[String($port)]) {
      fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this")
    }
    if $listen_addr_port and $ensure == 'present' {
      ensure_resource('apache::listen', $listen_addr_port)
    }
  }

  ## Create a default directory list if none defined
  if $directories {
    $_directories = $directories
  } elsif $docroot {
    $_directories = [{
      provider       => 'directory',
      path           => $docroot,
      options        => $options,
      allow_override => $override,
      directoryindex => $directoryindex,
      require        => 'all granted',
    }]
  } else {
    $_directories = undef
  }

  ## Create a global LocationMatch if locations aren't defined
  if $modsec_disable_ids {
    if $modsec_disable_ids =~ Array {
      $_modsec_disable_ids = { '.*' => $modsec_disable_ids }
    } else {
      $_modsec_disable_ids = $modsec_disable_ids
    }
  }

  if $modsec_disable_msgs {
    if $modsec_disable_msgs =~ Array {
      $_modsec_disable_msgs = { '.*' => $modsec_disable_msgs }
    } else {
      $_modsec_disable_msgs = $modsec_disable_msgs
    }
  }

  if $modsec_disable_tags {
    if $modsec_disable_tags =~ Array {
      $_modsec_disable_tags = { '.*' => $modsec_disable_tags }
    } else {
      $_modsec_disable_tags = $modsec_disable_tags
    }
  }

  concat { "${priority_real}${filename}.conf":
    ensure  => $ensure,
    path    => "${apache::vhost_dir}/${priority_real}${filename}.conf",
    owner   => 'root',
    group   => $apache::params::root_group,
    mode    => $apache::file_mode,
    order   => 'numeric',
    require => Package['httpd'],
    notify  => Class['apache::service'],
  }
  # NOTE(pabelanger): This code is duplicated in ::apache::vhost::custom and
  # needs to be converted into something generic.
  if $apache::vhost_enable_dir {
    $vhost_enable_dir = $apache::vhost_enable_dir
    $vhost_symlink_ensure = $ensure ? {
      'present' => link,
      default => $ensure,
    }
    file { "${priority_real}${filename}.conf symlink":
      ensure  => $vhost_symlink_ensure,
      path    => "${vhost_enable_dir}/${priority_real}${filename}.conf",
      target  => "${apache::vhost_dir}/${priority_real}${filename}.conf",
      owner   => 'root',
      group   => $apache::params::root_group,
      mode    => $apache::file_mode,
      require => Concat["${priority_real}${filename}.conf"],
      notify  => Class['apache::service'],
    }
  }

  # Template uses:
  # - $comment
  # - $nvh_addr_port
  # - $servername
  # - $serveradmin
  # - $protocols
  # - $protocols_honor_order
  # - $mdomain
  concat::fragment { "${name}-apache-header":
    target  => "${priority_real}${filename}.conf",
    order   => 0,
    content => template('apache/vhost/_file_header.erb'),
  }

  # Template uses:
  # - $virtual_docroot
  # - $virtual_use_default_docroot
  # - $docroot
  if $docroot and $ensure == 'present' {
    if $virtual_docroot {
      include apache::mod::vhost_alias
    }

    concat::fragment { "${name}-docroot":
      target  => "${priority_real}${filename}.conf",
      order   => 10,
      content => template('apache/vhost/_docroot.erb'),
    }
  }

  # Template uses:
  # - $aliases
  if ! empty($aliases) and $ensure == 'present' {
    include apache::mod::alias

    concat::fragment { "${name}-aliases":
      target  => "${priority_real}${filename}.conf",
      order   => 20,
      content => template('apache/vhost/_aliases.erb'),
    }
  }

  # Template uses:
  # - $itk
  # - $::kernelversion
  if $itk and ! empty($itk) {
    concat::fragment { "${name}-itk":
      target  => "${priority_real}${filename}.conf",
      order   => 30,
      content => template('apache/vhost/_itk.erb'),
    }
  }

  # Template uses:
  # - $fallbackresource
  if $fallbackresource {
    concat::fragment { "${name}-fallbackresource":
      target  => "${priority_real}${filename}.conf",
      order   => 40,
      content => template('apache/vhost/_fallbackresource.erb'),
    }
  }

  # Template uses:
  # - $allow_encoded_slashes
  if $allow_encoded_slashes {
    concat::fragment { "${name}-allow_encoded_slashes":
      target  => "${priority_real}${filename}.conf",
      order   => 50,
      content => template('apache/vhost/_allow_encoded_slashes.erb'),
    }
  }

  # Template uses:
  # - $_directories
  # - $docroot
  # - $shibboleth_enabled
  if $_directories and ! empty($_directories) and $ensure == 'present' {
    $_directories.each |Hash $directory| {
      if 'auth_basic_authoritative' in $directory or 'auth_basic_fake' in $directory or 'auth_basic_provider' in $directory {
        include apache::mod::auth_basic
      }

      if 'auth_user_file' in $directory {
        include apache::mod::authn_file
      }

      if 'auth_group_file' in $directory {
        include apache::mod::authz_groupfile
      }

      if 'gssapi' in $directory {
        include apache::mod::auth_gssapi
      }

      if $directory['provider'] and $directory['provider'] =~ 'location' and ('proxy_pass' in $directory or 'proxy_pass_match' in $directory) {
        include apache::mod::proxy_http
      }

      if 'request_headers' in $directory {
        include apache::mod::headers
      }

      if 'rewrites' in $directory {
        include apache::mod::rewrite
      }

      if 'setenv' in $directory {
        include apache::mod::env
      }
    }

    concat::fragment { "${name}-directories":
      target  => "${priority_real}${filename}.conf",
      order   => 60,
      content => template('apache/vhost/_directories.erb'),
    }
  }

  # Template uses:
  # - $additional_includes
  if $additional_includes and ! empty($additional_includes) {
    concat::fragment { "${name}-additional_includes":
      target  => "${priority_real}${filename}.conf",
      order   => 70,
      content => template('apache/vhost/_additional_includes.erb'),
    }
  }

  # Template uses:
  # - $error_log
  # - $error_log_format
  # - $log_level
  # - $error_log_destination
  # - $log_level
  if $error_log or $log_level {
    concat::fragment { "${name}-logging":
      target  => "${priority_real}${filename}.conf",
      order   => 80,
      content => template('apache/vhost/_logging.erb'),
    }
  }

  # Template uses no variables
  concat::fragment { "${name}-serversignature":
    target  => "${priority_real}${filename}.conf",
    order   => 90,
    content => template('apache/vhost/_serversignature.erb'),
  }

  # Template uses:
  # - $_access_logs
  # - $_access_log_env_var
  # - $access_log_destination
  # - $_access_log_format
  # - $_access_log_env_var
  if !empty($_access_logs) {
    concat::fragment { "${name}-access_log":
      target  => "${priority_real}${filename}.conf",
      order   => 100,
      content => template('apache/vhost/_access_log.erb'),
    }
  }

  # Template uses:
  # - $action
  if $action {
    concat::fragment { "${name}-action":
      target  => "${priority_real}${filename}.conf",
      order   => 110,
      content => template('apache/vhost/_action.erb'),
    }
  }

  # Template uses:
  # - $block
  if $block and ! empty($block) {
    concat::fragment { "${name}-block":
      target  => "${priority_real}${filename}.conf",
      order   => 120,
      content => template('apache/vhost/_block.erb'),
    }
  }

  # Template uses:
  # - $error_documents
  if $error_documents and ! empty($error_documents) {
    concat::fragment { "${name}-error_document":
      target  => "${priority_real}${filename}.conf",
      order   => 130,
      content => template('apache/vhost/_error_document.erb'),
    }
  }

  # Template uses:
  # - $headers
  if ! empty($headers) and $ensure == 'present' {
    include apache::mod::headers

    concat::fragment { "${name}-header":
      target  => "${priority_real}${filename}.conf",
      order   => 140,
      content => template('apache/vhost/_header.erb'),
    }
  }

  # Template uses:
  # - $request_headers
  if ! empty($request_headers) and $ensure == 'present' {
    include apache::mod::headers

    concat::fragment { "${name}-requestheader":
      target  => "${priority_real}${filename}.conf",
      order   => 150,
      content => template('apache/vhost/_requestheader.erb'),
    }
  }

  # Template uses:
  # - $ssl_proxyengine
  # - $ssl_proxy_verify
  # - $ssl_proxy_verify_depth
  # - $ssl_proxy_ca_cert
  # - $ssl_proxy_check_peer_cn
  # - $ssl_proxy_check_peer_name
  # - $ssl_proxy_check_peer_expire
  # - $ssl_proxy_machine_cert
  # - $ssl_proxy_machine_cert_chain
  # - $ssl_proxy_protocol
  if $ssl_proxyengine {
    concat::fragment { "${name}-sslproxy":
      target  => "${priority_real}${filename}.conf",
      order   => 160,
      content => template('apache/vhost/_sslproxy.erb'),
    }
  }

  # Template uses:
  # - $proxy_dest
  # - $proxy_pass
  # - $proxy_pass_match
  # - $proxy_preserve_host
  # - $proxy_add_headers
  # - $no_proxy_uris
  if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match or $proxy_preserve_host) and $ensure == 'present' {
    include apache::mod::proxy_http

    concat::fragment { "${name}-proxy":
      target  => "${priority_real}${filename}.conf",
      order   => 170,
      content => template('apache/vhost/_proxy.erb'),
    }
  }

  # Template uses:
  # - $redirect_source
  # - $redirect_dest
  # - $redirect_status
  # - $redirect_dest_a
  # - $redirect_source_a
  # - $redirect_status_a
  # - $redirectmatch_status
  # - $redirectmatch_regexp
  # - $redirectmatch_dest
  # - $redirectmatch_status_a
  # - $redirectmatch_regexp_a
  # - $redirectmatch_dest
  if (($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest)) and $ensure == 'present' {
    include apache::mod::alias

    concat::fragment { "${name}-redirect":
      target  => "${priority_real}${filename}.conf",
      order   => 180,
      content => template('apache/vhost/_redirect.erb'),
    }
  }

  # Template uses:
  # - $rewrites
  # - $rewrite_inherit
  # - $rewrite_base
  # - $rewrite_rule
  # - $rewrite_cond
  # - $rewrite_map
  if (! empty($rewrites) or $rewrite_rule or $rewrite_inherit) and $ensure == 'present' {
    include apache::mod::rewrite

    concat::fragment { "${name}-rewrite":
      target  => "${priority_real}${filename}.conf",
      order   => 190,
      content => template('apache/vhost/_rewrite.erb'),
    }
  }

  # Template uses:
  # - $scriptaliases
  # - $scriptalias
  if ($scriptalias or !empty($scriptaliases)) and $ensure == 'present' {
    include apache::mod::alias

    concat::fragment { "${name}-scriptalias":
      target  => "${priority_real}${filename}.conf",
      order   => 200,
      content => template('apache/vhost/_scriptalias.erb'),
    }
  }

  # Template uses:
  # - $serveraliases
  if ! empty($serveraliases) and $ensure == 'present' {
    concat::fragment { "${name}-serveralias":
      target  => "${priority_real}${filename}.conf",
      order   => 210,
      content => template('apache/vhost/_serveralias.erb'),
    }
  }

  # Template uses:
  # - $setenv
  # - $setenvif
  $use_env_mod = !empty($setenv)
  $use_setenvif_mod = !empty($setenvif) or !empty($setenvifnocase)
  if ($use_env_mod or $use_setenvif_mod) and $ensure == 'present' {
    if $use_env_mod {
      include apache::mod::env
    }
    if $use_setenvif_mod {
      include apache::mod::setenvif
    }

    concat::fragment { "${name}-setenv":
      target  => "${priority_real}${filename}.conf",
      order   => 220,
      content => template('apache/vhost/_setenv.erb'),
    }
  }

  # Template uses:
  # - $ssl
  # - $ssl_cert
  # - $ssl_key
  # - $ssl_chain
  # - $ssl_certs_dir
  # - $ssl_ca
  # - $ssl_crl_path
  # - $ssl_crl
  # - $ssl_crl_check
  # - $ssl_protocol
  # - $ssl_cipher
  # - $_ssl_honorcipherorder
  # - $ssl_verify_client
  # - $ssl_verify_depth
  # - $ssl_options
  # - $ssl_openssl_conf_cmd
  # - $ssl_stapling
  # - $mdomain
  if $ssl and $ensure == 'present' {
    include apache::mod::ssl

    concat::fragment { "${name}-ssl":
      target  => "${priority_real}${filename}.conf",
      order   => 230,
      content => template('apache/vhost/_ssl.erb'),
    }

    if $ssl_reload_on_change {
      [$ssl_cert, $ssl_key, $ssl_ca, $ssl_chain, $ssl_crl].each |$ssl_file| {
        if $ssl_file {
          include apache::mod::ssl::reload
          $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G')
          file { "${filename}${_ssl_file_copy}":
            path    => "${apache::params::puppet_ssl_dir}/${filename}${_ssl_file_copy}",
            source  => "file://${ssl_file}",
            owner   => 'root',
            group   => $apache::params::root_group,
            mode    => '0640',
            seltype => 'cert_t',
            notify  => Class['apache::service'],
          }
        }
      }
    }
  }

  # Template uses:
  # - $auth_kerb
  # - $krb_method_negotiate
  # - $krb_method_k5passwd
  # - $krb_authoritative
  # - $krb_auth_realms
  # - $krb_5keytab
  # - $krb_local_user_mapping
  if $auth_kerb and $ensure == 'present' {
    include apache::mod::auth_kerb

    concat::fragment { "${name}-auth_kerb":
      target  => "${priority_real}${filename}.conf",
      order   => 230,
      content => template('apache/vhost/_auth_kerb.erb'),
    }
  }

  # Template uses:
  # - $php_values
  # - $php_flags
  if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) {
    concat::fragment { "${name}-php":
      target  => "${priority_real}${filename}.conf",
      order   => 240,
      content => template('apache/vhost/_php.erb'),
    }
  }

  # Template uses:
  # - $php_admin_values
  # - $php_admin_flags
  if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) {
    concat::fragment { "${name}-php_admin":
      target  => "${priority_real}${filename}.conf",
      order   => 250,
      content => template('apache/vhost/_php_admin.erb'),
    }
  }

  # Template uses:
  # - $wsgi_application_group
  # - $wsgi_daemon_process
  # - $wsgi_daemon_process_options
  # - $wsgi_import_script
  # - $wsgi_import_script_options
  # - $wsgi_process_group
  # - $wsgi_script_aliases
  # - $wsgi_pass_authorization
  if $wsgi_daemon_process_options {
    deprecation('apache::vhost::wsgi_daemon_process_options', 'This parameter is deprecated. Please add values inside Hash `wsgi_daemon_process`.')
  }
  if ($wsgi_application_group or $wsgi_daemon_process or ($wsgi_import_script and $wsgi_import_script_options) or $wsgi_process_group or ($wsgi_script_aliases and ! empty($wsgi_script_aliases)) or $wsgi_pass_authorization) and $ensure == 'present' {
    include apache::mod::wsgi

    concat::fragment { "${name}-wsgi":
      target  => "${priority_real}${filename}.conf",
      order   => 260,
      content => template('apache/vhost/_wsgi.erb'),
    }
  }

  # Template uses:
  # - $custom_fragment
  if $custom_fragment {
    concat::fragment { "${name}-custom_fragment":
      target  => "${priority_real}${filename}.conf",
      order   => 270,
      content => template('apache/vhost/_custom_fragment.erb'),
    }
  }

  # Template uses:
  # - $suexec_user_group
  if $suexec_user_group and $ensure == 'present' {
    include apache::mod::suexec

    concat::fragment { "${name}-suexec":
      target  => "${priority_real}${filename}.conf",
      order   => 290,
      content => template('apache/vhost/_suexec.erb'),
    }
  }

  if ('h2' in $protocols or 'h2c' in $protocols or $h2_copy_files != undef or $h2_direct != undef or $h2_early_hints != undef or $h2_max_session_streams != undef or $h2_modern_tls_only != undef or $h2_push != undef or $h2_push_diary_size != undef or $h2_push_priority != [] or $h2_push_resource != [] or $h2_serialize_headers != undef or $h2_stream_max_mem_size != undef or $h2_tls_cool_down_secs != undef or $h2_tls_warm_up_size != undef or $h2_upgrade != undef or $h2_window_size != undef) and $ensure == 'present' {
    include apache::mod::http2

    concat::fragment { "${name}-http2":
      target  => "${priority_real}${filename}.conf",
      order   => 300,
      content => template('apache/vhost/_http2.erb'),
    }
  }

  if $mdomain and $ensure == 'present' {
    include apache::mod::md
  }

  # Template uses:
  # - $userdir
  if $userdir and $ensure == 'present' {
    include apache::mod::userdir

    concat::fragment { "${name}-userdir":
      target  => "${priority_real}${filename}.conf",
      order   => 300,
      content => template('apache/vhost/_userdir.erb'),
    }
  }

  # Template uses:
  # - $passenger_enabled
  # - $passenger_start_timeout
  # - $passenger_ruby
  # - $passenger_python
  # - $passenger_nodejs
  # - $passenger_meteor_app_settings
  # - $passenger_app_env
  # - $passenger_app_root
  # - $passenger_app_group_name
  # - $passenger_app_start_command
  # - $passenger_app_type
  # - $passenger_startup_file
  # - $passenger_restart_dir
  # - $passenger_spawn_method
  # - $passenger_load_shell_envvars
  # - $passenger_preload_bundler
  # - $passenger_rolling_restarts
  # - $passenger_resist_deployment_errors
  # - $passenger_min_instances
  # - $passenger_max_instances
  # - $passenger_max_preloader_idle_time
  # - $passenger_force_max_concurrent_requests_per_process
  # - $passenger_concurrency_model
  # - $passenger_thread_count
  # - $passenger_high_performance
  # - $passenger_max_request_queue_size
  # - $passenger_max_request_queue_time
  # - $passenger_user
  # - $passenger_group
  # - $passenger_friendly_error_pages
  # - $passenger_buffer_upload
  # - $passenger_buffer_response
  # - $passenger_allow_encoded_slashes
  # - $passenger_lve_min_uid
  # - $passenger_base_uri
  # - $passenger_error_override
  # - $passenger_sticky_sessions
  # - $passenger_sticky_sessions_cookie_name
  # - $passenger_sticky_sessions_cookie_attributes
  # - $passenger_app_log_file
  # - $passenger_debugger
  # - $passenger_max_requests
  # - $passenger_max_request_time
  # - $passenger_memory_limit
  if ($passenger_enabled != undef or $passenger_start_timeout != undef or $passenger_ruby != undef or $passenger_python != undef or $passenger_nodejs != undef or $passenger_meteor_app_settings != undef or $passenger_app_env != undef or $passenger_app_root != undef or $passenger_app_group_name != undef or $passenger_app_start_command != undef or $passenger_app_type != undef or $passenger_startup_file != undef or $passenger_restart_dir != undef or $passenger_spawn_method != undef or $passenger_load_shell_envvars != undef or $passenger_preload_bundler != undef or $passenger_rolling_restarts != undef or $passenger_resist_deployment_errors != undef or $passenger_min_instances != undef or $passenger_max_instances != undef or $passenger_max_preloader_idle_time != undef or $passenger_force_max_concurrent_requests_per_process != undef or $passenger_concurrency_model != undef or $passenger_thread_count != undef or $passenger_high_performance != undef or $passenger_max_request_queue_size != undef or $passenger_max_request_queue_time != undef or $passenger_user != undef or $passenger_group != undef or $passenger_friendly_error_pages != undef or $passenger_buffer_upload != undef or $passenger_buffer_response != undef or $passenger_allow_encoded_slashes != undef or $passenger_lve_min_uid != undef or $passenger_base_uri != undef or $passenger_error_override != undef or $passenger_sticky_sessions != undef or $passenger_sticky_sessions_cookie_name != undef or $passenger_sticky_sessions_cookie_attributes != undef or $passenger_app_log_file != undef or $passenger_debugger != undef or $passenger_max_requests != undef or $passenger_max_request_time != undef or $passenger_memory_limit != undef) and $ensure == 'present' {
    include apache::mod::passenger

    concat::fragment { "${name}-passenger":
      target  => "${priority_real}${filename}.conf",
      order   => 300,
      content => template('apache/vhost/_passenger.erb'),
    }
  }

  # Template uses:
  # - $add_default_charset
  if $add_default_charset {
    concat::fragment { "${name}-charsets":
      target  => "${priority_real}${filename}.conf",
      order   => 310,
      content => template('apache/vhost/_charsets.erb'),
    }
  }

  # Template uses:
  # - $modsec_disable_vhost
  # - $modsec_disable_ids
  # - $modsec_disable_ips
  # - $modsec_disable_msgs
  # - $modsec_disable_tags
  # - $modsec_body_limit
  # - $modsec_audit_log_destination
  # - $modsec_inbound_anomaly_threshold
  # - $modsec_outbound_anomaly_threshold
  # - $modsec_allowed_methods
  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
    concat::fragment { "${name}-security":
      target  => "${priority_real}${filename}.conf",
      order   => 320,
      content => template('apache/vhost/_security.erb'),
    }
  }

  # Template uses:
  # - $filters
  if ! empty($filters) and $ensure == 'present' {
    include apache::mod::filter

    concat::fragment { "${name}-filters":
      target  => "${priority_real}${filename}.conf",
      order   => 330,
      content => template('apache/vhost/_filters.erb'),
    }
  }

  # Template uses:
  # - $jk_mounts
  if !empty($jk_mounts) and $ensure == 'present' {
    include apache::mod::jk

    concat::fragment { "${name}-jk_mounts":
      target  => "${priority_real}${filename}.conf",
      order   => 340,
      content => template('apache/vhost/_jk_mounts.erb'),
    }
  }

  # Template uses:
  # - $keepalive
  # - $keepalive_timeout
  # - $max_keepalive_requests
  if $keepalive or $keepalive_timeout or $max_keepalive_requests {
    concat::fragment { "${name}-keepalive_options":
      target  => "${priority_real}${filename}.conf",
      order   => 350,
      content => template('apache/vhost/_keepalive_options.erb'),
    }
  }

  # Template uses:
  # - $cas_*
  if $cas_enabled {
    concat::fragment { "${name}-auth_cas":
      target  => "${priority_real}${filename}.conf",
      order   => 350,
      content => template('apache/vhost/_auth_cas.erb'),
    }
  }

  # Template uses:
  # - $http_protocol_options
  if $http_protocol_options {
    concat::fragment { "${name}-http_protocol_options":
      target  => "${priority_real}${filename}.conf",
      order   => 350,
      content => template('apache/vhost/_http_protocol_options.erb'),
    }
  }

  # Template uses:
  # - $auth_oidc
  # - $oidc_settings
  if $auth_oidc and $ensure == 'present' {
    include apache::mod::auth_openidc

    concat::fragment { "${name}-auth_oidc":
      target  => "${priority_real}${filename}.conf",
      order   => 360,
      content => template('apache/vhost/_auth_oidc.erb'),
    }
  }

  # Template uses:
  # - $shib_compat_valid_user
  if $shibboleth_enabled {
    concat::fragment { "${name}-shibboleth":
      target  => "${priority_real}${filename}.conf",
      order   => 370,
      content => template('apache/vhost/_shib.erb'),
    }
  }

  # - $use_canonical_name
  if $use_canonical_name {
    concat::fragment { "${name}-use_canonical_name":
      target  => "${priority_real}${filename}.conf",
      order   => 360,
      content => template('apache/vhost/_use_canonical_name.erb'),
    }
  }

  # Template uses no variables
  concat::fragment { "${name}-file_footer":
    target  => "${priority_real}${filename}.conf",
    order   => 999,
    content => template('apache/vhost/_file_footer.erb'),
  }
}