Stricter data type on apache::vhost::modsec_disable_ips

puppetlabs · Jun 16, 2022 · 88d7b26 · 88d7b26
1 parent 32c3cac
commit 88d7b26
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -1954,7 +1954,7 @@
   Optional[String] $add_default_charset                                               = undef,
   Boolean $modsec_disable_vhost                                                       = false,
   Optional[Variant[Hash, Array]] $modsec_disable_ids                                  = undef,
-  Optional[Array[String]] $modsec_disable_ips                                         = undef,
+  Array[String[1]] $modsec_disable_ips                                                = [],
   Optional[Variant[Hash, Array]] $modsec_disable_msgs                                 = undef,
   Optional[Variant[Hash, Array]] $modsec_disable_tags                                 = undef,
   Optional[String] $modsec_body_limit                                                 = undef,
@@ -2876,7 +2876,7 @@
   # - $modsec_disable_tags
   # - $modsec_body_limit
   # - $modsec_audit_log_destination
-  if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination {
+  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination {
     concat::fragment { "${name}-security":
       target  => "${priority_real}${filename}.conf",
       order   => 320,

diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb
@@ -14,9 +14,8 @@
   </LocationMatch>
 <%   end -%>
 <% end -%>
-<% ips = Array(@modsec_disable_ips).join(',') %>
-<% if ips != '' %>
-  SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455"
+<% unless @modsec_disable_ips.empty? %>
+  SecRule REMOTE_ADDR "<%= @modsec_disable_ips.join(',') %>" "nolog,allow,id:1234123455"
   SecAction  "phase:2,pass,nolog,id:1234123456"
 <% end -%>
 <% if @_modsec_disable_msgs.is_a?(Hash) -%>