freighthop 0.2.1 → 0.3.0

data/modules/apache/templates/mod/nss.conf.erb

@@ -0,0 +1,228 @@
+#
+# This is the Apache server configuration file providing SSL support using.
+# the mod_nss plugin.  It contains the configuration directives to instruct
+# the server how to serve pages over an https connection.
+# 
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+
+#LoadModule nss_module modules/libmodnss.so
+
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTP port (see above) and to the HTTPS port
+#
+# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
+#       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
+#
+Listen 8443
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+<% if @passwd_file -%>
+NSSPassPhraseDialog  file:<%= @passwd_file %>
+<% else -%>
+NSSPassPhraseDialog  builtin
+<% end -%>
+
+#   Pass Phrase Helper:
+#   This helper program stores the token password pins between
+#   restarts of Apache.
+NSSPassPhraseHelper /usr/sbin/nss_pcache
+
+#   Configure the SSL Session Cache. 
+#   NSSSessionCacheSize is the number of entries in the cache.
+#   NSSSessionCacheTimeout is the SSL2 session timeout (in seconds).
+#   NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
+NSSSessionCacheSize 10000
+NSSSessionCacheTimeout 100
+NSSSession3CacheTimeout 86400
+
+#
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the SSL library.
+# The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. Those platforms usually also provide a non-blocking
+# device, /dev/urandom, which may be used instead.
+#
+# This does not support seeding the RNG with each connection.
+
+NSSRandomSeed startup builtin
+#NSSRandomSeed startup file:/dev/random  512
+#NSSRandomSeed startup file:/dev/urandom 512
+
+#
+# TLS Negotiation configuration under RFC 5746
+#
+# Only renegotiate if the peer's hello bears the TLS renegotiation_info
+# extension. Default off.
+NSSRenegotiation off
+
+# Peer must send Signaling Cipher Suite Value (SCSV) or
+# Renegotiation Info (RI) extension in ALL handshakes.  Default: off
+NSSRequireSafeNegotiation off
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:8443>
+
+#   General setup for the virtual host
+#DocumentRoot "/etc/httpd/htdocs"
+#ServerName www.example.com:8443
+#ServerAdmin you@example.com
+
+# mod_nss can log to separate log files, you can choose to do that if you'd like
+# LogLevel is not inherited from httpd.conf.
+ErrorLog <%= @error_log %>
+TransferLog <%= @transfer_log %>
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+NSSEngine on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_nss documentation for a complete list.
+
+# SSL 3 ciphers. SSL 2 is disabled by default.
+NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
+
+# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default.
+#
+# Comment out the NSSCipherSuite line above and use the one below if you have
+# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
+#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
+
+#   SSL Protocol:
+#   Cryptographic protocols that provide communication security.
+#   NSS handles the specified protocols as "ranges", and automatically
+#   negotiates the use of the strongest protocol for a connection starting
+#   with the maximum specified protocol and downgrading as necessary to the
+#   minimum specified protocol that can be used between two processes.
+#   Since all protocol ranges are completely inclusive, and no protocol in the
+#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
+
+#   SSL Certificate Nickname:
+#   The nickname of the RSA server certificate you are going to use.
+NSSNickname Server-Cert
+
+#   SSL Certificate Nickname:
+#   The nickname of the ECC server certificate you are going to use, if you
+#   have an ECC-enabled version of NSS and mod_nss
+#NSSECCNickname Server-Cert-ecc
+
+#   Server Certificate Database:
+#   The NSS security database directory that holds the certificates and
+#   keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+#   Provide the directory that these files exist.
+NSSCertificateDatabase <%= @httpd_dir -%>/alias
+
+#   Database Prefix:
+#   In order to be able to store multiple NSS databases in one directory
+#   they need unique names. This option sets the database prefix used for
+#   cert8.db and key3.db.
+#NSSDBPrefix my-prefix-
+
+#   Client Authentication (Type):
+#   Client certificate verification type.  Types are none, optional and
+#   require.
+#NSSVerifyClient none
+
+#
+#   Online Certificate Status Protocol (OCSP).
+#   Verify that certificates have not been revoked before accepting them.
+#NSSOCSP off
+
+#
+#   Use a default OCSP responder. If enabled this will be used regardless
+#   of whether one is included in a client certificate. Note that the
+#   server certificate is verified during startup.
+#
+#   NSSOCSPDefaultURL defines the service URL of the OCSP responder
+#   NSSOCSPDefaultName is the nickname of the certificate to trust to
+#       sign the OCSP responses.
+#NSSOCSPDefaultResponder on
+#NSSOCSPDefaultURL http://example.com/ocsp/status
+#NSSOCSPDefaultName ocsp-nickname
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_nss documentation
+#   for more details.
+#<Location />
+#NSSRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "NSSRequireSSL" or "NSSRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    NSSOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+    NSSOptions +StdEnvVars
+</Directory>
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
+#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>                                  
+

data/modules/apache/templates/mod/passenger.conf.erb

@@ -0,0 +1,30 @@
+# The Passanger Apache module configuration file is being
+# managed by Puppet and changes will be overwritten.
+<IfModule mod_passenger.c>
+  PassengerRoot <%= @passenger_root %>
+  PassengerRuby <%= @passenger_ruby %>
+  <%- if @passenger_high_performance -%>
+  PassengerHighPerformance <%= @passenger_high_performance %>
+  <%- end -%>
+  <%- if @passenger_max_pool_size -%>
+  PassengerMaxPoolSize <%= @passenger_max_pool_size %>
+  <%- end -%>
+  <%- if @passenger_pool_idle_time -%>
+  PassengerPoolIdleTime <%= @passenger_pool_idle_time %>
+  <%- end -%>
+  <%- if @passenger_max_requests -%>
+  PassengerMaxRequests <%= @passenger_max_requests %>
+  <%- end -%>
+  <%- if @passenger_stat_throttle_rate -%>
+  PassengerStatThrottleRate <%= @passenger_stat_throttle_rate %>
+  <%- end -%>
+  <%- if @rack_autodetect -%>
+  RackAutoDetect <%= @rack_autodetect %>
+  <%- end -%>
+  <%- if @rails_autodetect -%>
+  RailsAutoDetect <%= @rails_autodetect %>
+  <%- end -%>
+  <%- if @passenger_use_global_queue -%>
+  PassengerUseGlobalQueue <%= @passenger_use_global_queue %>
+  <%- end -%> 
+</IfModule>

data/modules/apache/templates/mod/peruser.conf.erb

@@ -0,0 +1,12 @@
+<IfModule mpm_peruser_module>
+  MinSpareProcessors  <%= @minspareprocessors %>
+  MinProcessors       <%= @minprocessors %>
+  MaxProcessors       <%= @maxprocessors %>
+  MaxClients          <%= @maxclients %>
+  MaxRequestsPerChild <%= @maxrequestsperchild %>
+  IdleTimeout         <%= @idletimeout %>
+  ExpireTimeout       <%= @expiretimeout %>
+  KeepAlive           <%= @keepalive %>
+  Include             <%= @mod_dir %>/peruser/multiplexers/*.conf
+  Include             <%= @mod_dir %>/peruser/processors/*.conf
+</IfModule>

data/modules/apache/templates/mod/php5.conf.erb

@@ -0,0 +1,30 @@
+#
+# PHP is an HTML-embedded scripting language which attempts to make it
+# easy for developers to write dynamically generated webpages.
+#
+#<IfModule prefork.c>
+#  LoadModule php5_module modules/libphp5.so
+#</IfModule>
+#<IfModule worker.c>
+#  # Use of the "ZTS" build with worker is experimental, and no shared
+#  # modules are supported.
+#  LoadModule php5_module modules/libphp5-zts.so
+#</IfModule>
+
+#
+# Cause the PHP interpreter to handle files with a .php extension.
+#
+AddHandler php5-script .php
+AddType text/html .php
+
+#
+# Add index.php to the list of files that will be served as directory
+# indexes.
+#
+DirectoryIndex index.php
+
+#
+# Uncomment the following line to allow PHP to pretty-print .phps
+# files as PHP source code:
+#
+#AddType application/x-httpd-php-source .phps

data/modules/apache/templates/mod/prefork.conf.erb

@@ -0,0 +1,8 @@
+<IfModule mpm_prefork_module>
+  StartServers        <%= @startservers %>
+  MinSpareServers     <%= @minspareservers %>
+  MaxSpareServers     <%= @maxspareservers %>
+  ServerLimit         <%= @serverlimit %>
+  MaxClients          <%= @maxclients %>
+  MaxRequestsPerChild <%= @maxrequestsperchild %>
+</IfModule>

data/modules/apache/templates/mod/proxy.conf.erb

@@ -0,0 +1,23 @@
+#
+# Proxy Server directives. Uncomment the following lines to
+# enable the proxy server:
+#
+<IfModule mod_proxy.c>
+  # Do not enable proxying with ProxyRequests until you have secured your
+  # server.  Open proxy servers are dangerous both to your network and to the
+  # Internet at large.
+  ProxyRequests <%= @proxy_requests %>
+
+  <% if @proxy_requests != 'Off' or ( @allow_from and ! @allow_from.empty? ) -%>
+  <Proxy *>
+    Order deny,allow
+    Deny from all
+    Allow from <%= Array(@allow_from).join(" ") %>
+  </Proxy>
+  <% end -%>
+
+  # Enable/disable the handling of HTTP/1.1 "Via:" headers.
+  # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
+  # Set to one of: Off | On | Full | Block
+  ProxyVia On
+</IfModule>

data/modules/apache/templates/mod/proxy_html.conf.erb

@@ -0,0 +1,24 @@
+<% if @proxy_html_loadfiles -%>
+<% Array(@proxy_html_loadfiles).each do |loadfile| -%>
+LoadFile <%= loadfile %>
+<% end -%>
+
+<% end -%>
+ProxyHTMLLinks  a               href
+ProxyHTMLLinks  area            href
+ProxyHTMLLinks  link            href
+ProxyHTMLLinks  img             src longdesc usemap
+ProxyHTMLLinks  object          classid codebase data usemap
+ProxyHTMLLinks  q               cite
+ProxyHTMLLinks  blockquote      cite
+ProxyHTMLLinks  ins             cite
+ProxyHTMLLinks  del             cite
+ProxyHTMLLinks  form            action
+ProxyHTMLLinks  input           src usemap
+ProxyHTMLLinks  head            profileProxyHTMLLinks  base            href
+ProxyHTMLLinks  script          src for
+
+ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
+                onmouseover onmousemove onmouseout onkeypress \
+                onkeydown onkeyup onfocus onblur onload \
+                onunload onsubmit onreset onselect onchange

data/modules/apache/templates/mod/reqtimeout.conf.erb

@@ -0,0 +1,2 @@
+RequestReadTimeout header=20-40,minrate=500
+RequestReadTimeout body=10,minrate=500

data/modules/apache/templates/mod/rpaf.conf.erb

@@ -0,0 +1,15 @@
+# Enable reverse proxy add forward
+RPAFenable On
+# RPAFsethostname will, when enabled, take the incoming X-Host header and
+# update the virtual host settings accordingly. This allows to have the same
+# hostnames as in the "real" configuration for the forwarding proxy.
+<% if @sethostname -%>
+RPAFsethostname On
+<% else -%>
+RPAFsethostname Off
+<% end -%>
+# Which IPs are forwarding requests to us
+RPAFproxy_ips <%= Array(@proxy_ips).join(" ") %>
+# Setting RPAFheader allows you to change the header name to parse from the
+# default X-Forwarded-For to something of your choice.
+RPAFheader <%= @header %>

data/modules/apache/templates/mod/setenvif.conf.erb

@@ -0,0 +1,34 @@
+#
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+
+#
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash.  This fixes a 
+# problem with Microsoft WebFolders which does not appropriately handle 
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+#
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "MS FrontPage" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+BrowserMatch "^gnome-vfs/1.0" redirect-carefully
+BrowserMatch "^gvfs/1" redirect-carefully
+BrowserMatch "^XML Spy" redirect-carefully
+BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+BrowserMatch " Konqueror/4" redirect-carefully
+
+<IfModule mod_ssl.c>
+  BrowserMatch "MSIE [2-6]" \
+    nokeepalive ssl-unclean-shutdown \
+    downgrade-1.0 force-response-1.0
+  # MSIE 7 and newer should be able to use keepalive
+  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+</IfModule>

data/modules/apache/templates/mod/ssl.conf.erb

@@ -0,0 +1,24 @@
+<IfModule mod_ssl.c>
+  SSLRandomSeed startup builtin
+  SSLRandomSeed startup file:/dev/urandom 512
+  SSLRandomSeed connect builtin
+  SSLRandomSeed connect file:/dev/urandom 512
+
+  AddType application/x-x509-ca-cert .crt
+  AddType application/x-pkcs7-crl    .crl
+
+  SSLPassPhraseDialog  builtin
+  SSLSessionCache shmcb:<%= @session_cache %>
+  SSLSessionCacheTimeout 300
+<% if @ssl_compression -%>
+  SSLCompression Off
+<% end -%>
+  SSLMutex <%= @ssl_mutex %>
+  SSLCryptoDevice builtin
+  SSLHonorCipherOrder On
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+  SSLProtocol all -SSLv2
+<% if @ssl_options -%>
+  SSLOptions <%= @ssl_options.compact.join(' ') %>
+<% end -%>
+</IfModule>

data/modules/apache/templates/mod/status.conf.erb

@@ -0,0 +1,12 @@
+<Location /server-status>
+    SetHandler server-status
+    Order deny,allow
+    Deny from all
+    Allow from <%= Array(@allow_from).join(" ") %>
+</Location>
+ExtendedStatus <%= @extended_status %>
+
+<IfModule mod_proxy.c>
+    # Show Proxy LoadBalancer status in mod_status
+    ProxyStatus On
+</IfModule>

data/modules/apache/templates/mod/suphp.conf.erb

@@ -0,0 +1,19 @@
+<IfModule mod_suphp.c>
+    AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
+    suPHP_AddHandler application/x-httpd-suphp
+
+    <Directory />
+        suPHP_Engine on
+    </Directory>
+
+    # By default, disable suPHP for debian packaged web applications as files
+    # are owned by root and cannot be executed by suPHP because of min_uid.
+    <Directory /usr/share>
+        suPHP_Engine off
+    </Directory>
+
+# # Use a specific php config file (a dir which contains a php.ini file)
+#       suPHP_ConfigPath /etc/php4/cgi/suphp/
+# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
+#       suPHP_RemoveHandler <mime-type>
+</IfModule>

data/modules/apache/templates/mod/userdir.conf.erb

@@ -0,0 +1,19 @@
+<IfModule mod_userdir.c>
+<% if @disable_root -%>
+  UserDir disabled root
+<% end -%>
+  UserDir <%= @dir %>
+
+  <Directory <%= @home %>/*/<%= @dir %>>
+    AllowOverride FileInfo AuthConfig Limit Indexes
+    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    <Limit GET POST OPTIONS>
+      Order allow,deny
+      Allow from all
+    </Limit>
+    <LimitExcept GET POST OPTIONS>
+      Order deny,allow
+      Deny from all
+    </LimitExcept>
+  </Directory>
+</IfModule>

data/modules/apache/templates/mod/worker.conf.erb

@@ -0,0 +1,9 @@
+<IfModule mpm_worker_module>
+  ServerLimit         <%= @serverlimit %>
+  StartServers        <%= @startservers %>
+  MaxClients          <%= @maxclients %>
+  MinSpareThreads     <%= @minsparethreads %>
+  MaxSpareThreads     <%= @maxsparethreads %>
+  ThreadsPerChild     <%= @threadsperchild %>
+  MaxRequestsPerChild <%= @maxrequestsperchild %>
+</IfModule>

data/modules/apache/templates/mod/wsgi.conf.erb

@@ -0,0 +1,13 @@
+# The WSGI Apache module configuration file is being
+# managed by Puppet an changes will be overwritten.
+<IfModule mod_wsgi.c>
+  <%- if @wsgi_socket_prefix -%>
+  WSGISocketPrefix <%= @wsgi_socket_prefix %>
+  <%- end -%>
+  <%- if @wsgi_python_home -%>
+  WSGIPythonHome <%= @wsgi_python_home %>
+  <%- end -%>
+  <%- if @wsgi_python_path -%>
+  WSGIPythonPath <%= @wsgi_python_path %>
+  <%- end -%>  
+</IfModule>

data/modules/apache/templates/namevirtualhost.erb

@@ -0,0 +1,8 @@
+<%# NameVirtualHost should always be one of:
+  - *
+  - *:<port>
+  - _default_:<port>
+  - <ip>
+  - <ip>:<port>
+-%>
+NameVirtualHost <%= @addr_port %>

data/modules/apache/templates/ports_header.erb

@@ -0,0 +1,5 @@
+# ************************************
+# Listen & NameVirtualHost resources in module puppetlabs-apache
+# Managed by Puppet
+# ************************************
+

data/modules/apache/templates/vhost/_aliases.erb

@@ -0,0 +1,12 @@
+<% if @aliases and ! @aliases.empty? -%>
+  ## Alias declarations for resources outside the DocumentRoot
+  <%- [@aliases].flatten.compact.each do |alias_statement| -%>
+    <%- if alias_statement["path"] != '' -%>
+      <%- if alias_statement["alias"] and alias_statement["alias"] != '' -%>
+  Alias <%= alias_statement["alias"] %> <%= alias_statement["path"] %>
+      <%- elsif alias_statement["aliasmatch"] and alias_statement["aliasmatch"] != '' -%>
+  AliasMatch <%= alias_statement["aliasmatch"] %> <%= alias_statement["path"] %>
+      <%- end -%>
+    <%- end -%>
+  <%- end -%>
+<% end -%>

data/modules/apache/templates/vhost/_block.erb

@@ -0,0 +1,10 @@
+<% if @block and ! @block.empty? -%>
+
+  ## Block access statements
+<% if @block.include? 'scm' -%>
+  # Block access to SCM directories.
+  <DirectoryMatch .*\.(svn|git|bzr)/.*>
+    Deny From All
+  </DirectoryMatch>
+<% end -%>
+<% end -%>

data/modules/apache/templates/vhost/_custom_fragment.erb

@@ -0,0 +1,5 @@
+<% if @custom_fragment -%>
+
+  ## Custom fragment
+<%= @custom_fragment %>
+<% end -%>