Defined Type: apache::vhost

Defined in:: manifests/vhost.pp

Summary

Allows specialised configurations for virtual hosts that possess requirements outside of the defaults.

Overview

The apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to ‘vhost` being a defined resource type, which allows Apache to evaluate it multiple times with different parameters. The `apache::vhost` defined type allows you to have specialized configurations for virtual hosts that have requirements outside the defaults. You can set up a default virtual host within the base `::apache` class, as well as set a customized virtual host as the default. Customized virtual hosts have a lower numeric `priority` than the base class’s, causing Apache to process the customized virtual host first. The ‘apache::vhost` defined type uses `concat::fragment` to build the configuration file. To inject custom fragments for pieces of the configuration that the defined type doesn’t inherently support, add a custom fragment. For the custom fragment’s ‘order` parameter, the `apache::vhost` defined type uses multiples of 10, so any `order` that isn’t a multiple of 10 should work. > Note: When creating an ‘apache::vhost`, it cannot be named `default` or `default-ssl`, because vhosts with these titles are always managed by the module. This means that you cannot override `Apache::Vhost` or `Apache::Vhost` resources. An optional workaround is to create a vhost named something else, such as `my default`, and ensure that the `default` and `default_ssl` vhosts are set to `false`:

Examples:

class { 'apache':
  default_vhost     => false,
  default_ssl_vhost => false,
}

Parameters:

access_log (Boolean) (defaults to: true) —

Determines whether to configure ‘*_access.log` directives (`*_file`, `*_pipe`, or `*_syslog`).
access_log_env_var (Optional[Variant[Boolean, String]]) (defaults to: undef) —

Specifies that only requests with particular environment variables be logged.
access_log_file (Optional[String[1]]) (defaults to: undef) —

Sets the filename of the ‘*_access.log` placed in `logroot`. Given a virtual host —for instance, example.com— it defaults to ’example.com_ssl.log’ for [SSL-encrypted](httpd.apache.org/docs/current/ssl/index.html) virtual hosts and ‘example.com_access.log` for unencrypted virtual hosts.
access_log_format (Optional[String[1]]) (defaults to: undef) —

Specifies the use of either a ‘LogFormat` nickname or a custom-formatted string for the access log.
access_log_pipe (Optional[String[1]]) (defaults to: undef) —

Specifies a pipe where Apache sends access log messages.
access_log_syslog (Optional[Variant[String, Boolean]]) (defaults to: undef) —

Sends all access log messages to syslog.
access_logs (Optional[Array[Hash]]) (defaults to: undef) —

Allows you to give a hash that specifies the state of each of the ‘access_log_*` directives shown above, i.e. `access_log_pipe` and `access_log_syslog`.
add_default_charset (Optional[String]) (defaults to: undef) —

Sets a default media charset value for the ‘AddDefaultCharset` directive, which is added to `text/plain` and `text/html` responses.
add_listen (Boolean) (defaults to: true) —

Determines whether the virtual host creates a ‘Listen` statement. Setting `add_listen` to `false` prevents the virtual host from creating a `Listen` statement. This is important when combining virtual hosts that aren’t passed an ‘ip` parameter with those that are.
use_optional_includes (Boolean) (defaults to: $apache::use_optional_includes) —

Specifies whether Apache uses the ‘IncludeOptional` directive instead of `Include` for `additional_includes` in Apache 2.4 or newer.
aliases (Array[Hash[String[1], String[1]]]) (defaults to: []) —
Passes a list of [hashes] to the virtual host to create ‘Alias`, `AliasMatch`, `ScriptAlias` or `ScriptAliasMatch` directives as per the `mod_alias` documentation. For example: “` puppet aliases => [
```
{ aliasmatch => '^/image/(.*)\.jpg$',
 path => '/files/jpg.images/$1.jpg',
},
{ alias => '/image',
 path => '/ftp/pub/image',
},
{ scriptaliasmatch => '^/cgi-bin(.*)',
 path => '/usr/local/share/cgi-bin$1',
},
{ scriptalias => '/nagios/cgi-bin/',
 path => '/usr/lib/nagios/cgi-bin/',
},
{ alias => '/nagios',
 path => '/usr/share/nagios/html',
},
```
], “‘ For the `alias`, `aliasmatch`, `scriptalias` and `scriptaliasmatch` keys to work, each needs a corresponding context, such as `<Directory /path/to/directory>` or `<Location /some/location/here>`. Puppet creates the directives in the order specified in the `aliases` parameter. As described in the `mod_alias` documentation, add more specific `alias`, `aliasmatch`, `scriptalias` or `scriptaliasmatch` parameters before the more general ones to avoid shadowing. If `apache::mod::passenger` is loaded and `PassengerHighPerformance` is `true`, the `Alias` directive might not be able to honor the `PassengerEnabled => off` statement. See [this article](www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details.
allow_encoded_slashes (Optional[Variant[Apache::OnOff, Enum['nodecode']]]) (defaults to: undef) —

Sets the ‘AllowEncodedSlashes` declaration for the virtual host, overriding the server default. This modifies the virtual host responses to URLs with `` and `/` characters. The default setting omits the declaration from the server configuration and selects the Apache default setting of `Off`.
block (Variant[Array[String], String]) (defaults to: []) —

Specifies the list of things to which Apache blocks access. Valid options are: ‘scm` (which blocks web access to `.svn`), `.git`, and `.bzr` directories.
cas_attribute_prefix (Optional[String]) (defaults to: undef) —

Adds a header with the value of this header being the attribute values when SAML validation is enabled.
cas_attribute_delimiter (Optional[String]) (defaults to: undef) —

Sets the delimiter between attribute values in the header created by ‘cas_attribute_prefix`.
cas_login_url (Optional[String]) (defaults to: undef) —

Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don’t have an active session.
cas_root_proxied_as (Optional[String]) (defaults to: undef) —

Sets the URL end users see when access to this Apache server is proxied per vhost. This URL should not include a trailing slash.
cas_scrub_request_headers (Boolean) (defaults to: false) —

Remove inbound request headers that may have special meaning within mod_auth_cas.
cas_sso_enabled (Boolean) (defaults to: false) —

Enables experimental support for single sign out (may mangle POST data).
cas_validate_saml (Boolean) (defaults to: false) —

Parse response from CAS server for SAML.
cas_validate_url (Optional[String]) (defaults to: undef) —

Sets the URL to use when validating a client-presented ticket in an HTTP query string.
cas_cookie_path (Optional[String]) (defaults to: undef) —

Sets the location where information on the current session should be stored. This should be writable by the web server only.
comment (Optional[Variant[String, Array[String]]]) (defaults to: undef) —
Adds comments to the header of the configuration file. Pass as string or an array of strings. For example: “‘ puppet comment => “Account number: 123B”, “` Or: “` puppet comment => [
```
"Customer: X",
"Frontend domain: x.example.org",
```
] “‘
default_vhost (Boolean) (defaults to: false) —

Sets a given ‘apache::vhost` defined type as the default to serve requests that do not match any other `apache::vhost` defined types.
directoryindex (Optional[String]) (defaults to: undef) —

Sets the list of resources to look for when a client requests an index of the directory by specifying a ‘/’ at the end of the directory name. See the ‘DirectoryIndex` directive documentation for details.
docroot (Variant[Stdlib::Absolutepath, Boolean]) —

Required. Sets the ‘DocumentRoot` location, from which Apache serves files. If `docroot` and `manage_docroot` are both set to `false`, no `DocumentRoot` will be set and the accompanying `<Directory /path/to/directory>` block will not be created.
docroot_group (String) (defaults to: $apache::params::root_group) —

Sets group access to the ‘docroot` directory.
docroot_owner (String) (defaults to: 'root') —

Sets individual user access to the ‘docroot` directory.
docroot_mode (Optional[Stdlib::Filemode]) (defaults to: undef) —

Sets access permissions for the ‘docroot` directory, in numeric notation.
manage_docroot (Boolean) (defaults to: true) —

Determines whether Puppet manages the ‘docroot` directory.
error_log (Boolean) (defaults to: true) —

Specifies whether ‘*_error.log` directives should be configured.
error_log_file (Optional[String]) (defaults to: undef) —

Points the virtual host’s error logs to a ‘*_error.log` file. If this parameter is undefined, Puppet checks for values in `error_log_pipe`, then `error_log_syslog`. If none of these parameters is set, given a virtual host `example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts.
error_log_pipe (Optional[String]) (defaults to: undef) —

Specifies a pipe to send error log messages to. This parameter has no effect if the ‘error_log_file` parameter has a value. If neither this parameter nor `error_log_file` has a value, Puppet then checks `error_log_syslog`.
error_log_syslog (Optional[Variant[String, Boolean]]) (defaults to: undef) —

Determines whether to send all error log messages to syslog. This parameter has no effect if either of the ‘error_log_file` or `error_log_pipe` parameters has a value. If none of these parameters has a value, given a virtual host `example.com`, Puppet defaults to `$logroot/example.com_error_ssl.log` for SSL virtual hosts and `$logroot/example.com_error.log` for non-SSL virtual hosts.
error_log_format (Optional[ Array[ Variant[ String, Hash[String, Enum['connection', 'request']] ] ] ]) (defaults to: undef) —
Sets the [ErrorLogFormat](httpd.apache.org/docs/current/mod/core.html#errorlogformat) format specification for error log entries inside virtual host For example: “‘ puppet apache::vhost { ’site.name.fdqn’:
```
...
error_log_format => [
  '[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M',
  { '[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T' => 'request' },
  { "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" => 'request' },
  { "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" => 'request' },
  { '[%{uc}t] [C:%{c}L] local\ %a remote\ %A' => 'connection' },
],
```
} “‘
error_documents (Variant[Array[Hash], String]) (defaults to: []) —
A list of hashes which can be used to override the [ErrorDocument](httpd.apache.org/docs/current/mod/core.html#errordocument) settings for this virtual host. For example: “‘ puppet apache::vhost { ’sample.example.net’:
```
error_documents => [
 { 'error_code' => '503', 'document' => '/service-unavail' },
 { 'error_code' => '407', 'document' => 'https://example.com/proxy/login' },
],
```
} “‘
ensure (Enum['absent', 'present']) (defaults to: 'present') —

Specifies if the virtual host is present or absent.
show_diff (Boolean) (defaults to: true) —

Specifies whether to set the show_diff parameter for the file resource.
fallbackresource (Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]]) (defaults to: undef) —

Sets the [FallbackResource](httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource) directive, which specifies an action to take for any URL that doesn’t map to anything in your filesystem and would otherwise return ‘HTTP 404 (Not Found)’. Values must either begin with a ‘/` or be `disabled`.
filters (Array[String[1]]) (defaults to: []) —
[Filters](httpd.apache.org/docs/current/mod/mod_filter.html) enable smart, context-sensitive configuration of output content filters. “‘ puppet apache::vhost { “$::fqdn”:
```
filters => [
  'FilterDeclare   COMPRESS',
  'FilterProvider  COMPRESS DEFLATE resp=Content-Type $text/html',
  'FilterChain     COMPRESS',
  'FilterProtocol  COMPRESS DEFLATE change=yes;byteranges=no',
],
```
} “‘
h2_copy_files (Optional[Boolean]) (defaults to: undef) —

Sets the [H2CopyFiles](httpd.apache.org/docs/current/mod/mod_http2.html#h2copyfiles) directive which influences how the requestion process pass files to the main connection.
h2_direct (Optional[Boolean]) (defaults to: undef) —

Sets the [H2Direct](httpd.apache.org/docs/current/mod/mod_http2.html#h2direct) directive which toggles the usage of the HTTP/2 Direct Mode.
h2_early_hints (Optional[Boolean]) (defaults to: undef) —

Sets the [H2EarlyHints](httpd.apache.org/docs/current/mod/mod_http2.html#h2earlyhints) directive which controls if HTTP status 103 interim responses are forwarded to the client or not.
h2_max_session_streams (Optional[Integer]) (defaults to: undef) —

Sets the [H2MaxSessionStreams](httpd.apache.org/docs/current/mod/mod_http2.html#h2maxsessionstreams) directive which sets the maximum number of active streams per HTTP/2 session that the server allows.
h2_modern_tls_only (Optional[Boolean]) (defaults to: undef) —

Sets the [H2ModernTLSOnly](httpd.apache.org/docs/current/mod/mod_http2.html#h2moderntlsonly) directive which toggles the security checks on HTTP/2 connections in TLS mode.
h2_push (Optional[Boolean]) (defaults to: undef) —

Sets the [H2Push](httpd.apache.org/docs/current/mod/mod_http2.html#h2push) directive which toggles the usage of the HTTP/2 server push protocol feature.
h2_push_diary_size (Optional[Integer]) (defaults to: undef) —

Sets the [H2PushDiarySize](httpd.apache.org/docs/current/mod/mod_http2.html#h2pushdiarysize) directive which toggles the maximum number of HTTP/2 server pushes that are remembered per HTTP/2 connection.
h2_push_priority (Array[String]) (defaults to: []) —

Sets the [H2PushPriority](httpd.apache.org/docs/current/mod/mod_http2.html#h2pushpriority) directive which defines the priority handling of pushed responses based on the content-type of the response.
h2_push_resource (Array[String]) (defaults to: []) —

Sets the [H2PushResource](httpd.apache.org/docs/current/mod/mod_http2.html#h2pushresource) directive which declares resources for early pushing to the client.
h2_serialize_headers (Optional[Boolean]) (defaults to: undef) —

Sets the [H2SerializeHeaders](httpd.apache.org/docs/current/mod/mod_http2.html#h2serializeheaders) directive which toggles if HTTP/2 requests are serialized in HTTP/1.1 format for processing by httpd core.
h2_stream_max_mem_size (Optional[Integer]) (defaults to: undef) —

Sets the [H2StreamMaxMemSize](httpd.apache.org/docs/current/mod/mod_http2.html#h2streammaxmemsize) directive which sets the maximum number of outgoing data bytes buffered in memory for an active stream.
h2_tls_cool_down_secs (Optional[Integer]) (defaults to: undef) —

Sets the [H2TLSCoolDownSecs](httpd.apache.org/docs/current/mod/mod_http2.html#h2tlscooldownsecs) directive which sets the number of seconds of idle time on a TLS connection before the TLS write size falls back to a small (~1300 bytes) length.
h2_tls_warm_up_size (Optional[Integer]) (defaults to: undef) —

Sets the [H2TLSWarmUpSize](httpd.apache.org/docs/current/mod/mod_http2.html#h2tlswarmupsize) directive which sets the number of bytes to be sent in small TLS records (~1300 bytes) until doing maximum sized writes (16k) on https: HTTP/2 connections.
h2_upgrade (Optional[Boolean]) (defaults to: undef) —

Sets the [H2Upgrade](httpd.apache.org/docs/current/mod/mod_http2.html#h2upgrade) directive which toggles the usage of the HTTP/1.1 Upgrade method for switching to HTTP/2.
h2_window_size (Optional[Integer]) (defaults to: undef) —

Sets the [H2WindowSize](httpd.apache.org/docs/current/mod/mod_http2.html#h2windowsize) directive which sets the size of the window that is used for flow control from client to server and limits the amount of data the server has to buffer.
ip (Optional[ Variant[ Array[Variant[Stdlib::IP::Address, Enum['*']]], Variant[Stdlib::IP::Address, Enum['*']] ] ]) (defaults to: undef) —

Sets the IP address the virtual host listens on. By default, uses Apache’s default behavior of listening on all IPs.
ip_based (Boolean) (defaults to: false) —

Enables an [IP-based](httpd.apache.org/docs/current/vhosts/ip-based.html) virtual host. This parameter inhibits the creation of a NameVirtualHost directive, since those are used to funnel requests to name-based virtual hosts.
itk (Optional[Hash]) (defaults to: undef) —
Configures [ITK](mpm-itk.sesse.net/) in a hash. Usage typically looks something like: “‘ puppet apache::vhost { ’sample.example.net’:
```
docroot => '/path/to/directory',
itk => {
 user => 'someuser',
 group => 'somegroup',
},
```
} “‘ Valid values are: a hash, which can include the keys:
- ‘user` + `group`
- ‘assignuseridexpr`
- ‘assigngroupidexpr`
- ‘maxclientvhost`
- ‘nice`
- ‘limituidrange` (Linux 3.5.0 or newer)
- ‘limitgidrange` (Linux 3.5.0 or newer)
action (Optional[String]) (defaults to: undef) —

Specifies whether you wish to configure mod_actions action directive which will activate cgi-script when triggered by a request.
jk_mounts (Array[Hash]) (defaults to: []) —
Sets up a virtual host with ‘JkMount` and `JkUnMount` directives to handle the paths for URL mapping between Tomcat and Apache. The parameter must be an array of hashes where each hash must contain the `worker` and either the `mount` or `unmount` keys. Usage typically looks like: “` puppet apache::vhost { ’sample.example.net’:
```
jk_mounts => [
 { mount => '/*', worker => 'tcnode1', },
 { unmount => '/*.jpg', worker => 'tcnode1', },
],
```
} “‘
http_protocol_options (Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]]) (defaults to: undef) —

Specifies the strictness of HTTP protocol checks.
keepalive (Optional[Apache::OnOff]) (defaults to: undef) —

Determines whether to enable persistent HTTP connections with the ‘KeepAlive` directive for the virtual host. By default, the global, server-wide `KeepAlive` setting is in effect. Use the `keepalive_timeout` and `max_keepalive_requests` parameters to set relevant options for the virtual host.
keepalive_timeout (Optional[Variant[Integer, String]]) (defaults to: undef) —

Sets the ‘KeepAliveTimeout` directive for the virtual host, which determines the amount of time to wait for subsequent requests on a persistent HTTP connection. By default, the global, server-wide `KeepAlive` setting is in effect. This parameter is only relevant if either the global, server-wide `keepalive` parameter or the per-vhost `keepalive` parameter is enabled.
max_keepalive_requests (Optional[Variant[Integer, String]]) (defaults to: undef) —

Limits the number of requests allowed per connection to the virtual host. By default, the global, server-wide ‘KeepAlive` setting is in effect. This parameter is only relevant if either the global, server-wide `keepalive` parameter or the per-vhost `keepalive` parameter is enabled.

auth_kerb (Boolean) (defaults to: false) —

Enable ‘mod_auth_kerb` parameters for a virtual host. Usage typically looks like: “` puppet apache::vhost { ’sample.example.net’:

auth_kerb              => `true`,
krb_method_negotiate   => 'on',
krb_auth_realms        => ['EXAMPLE.ORG'],
krb_local_user_mapping => 'on',
directories            => [
  {
    path         => '/var/www/html',
    auth_name    => 'Kerberos Login',
    auth_type    => 'Kerberos',
    auth_require => 'valid-user',
  },
],

} “‘

krb_method_negotiate (Apache::OnOff) (defaults to: 'on') —

Determines whether to use the Negotiate method.
krb_method_k5passwd (Apache::OnOff) (defaults to: 'on') —

Determines whether to use password-based authentication for Kerberos v5.
krb_authoritative (Apache::OnOff) (defaults to: 'on') —

If set to ‘off`, authentication controls can be passed on to another module.
krb_auth_realms (Array[String]) (defaults to: []) —

Specifies an array of Kerberos realms to use for authentication.
krb_5keytab (Optional[String]) (defaults to: undef) —

Specifies the Kerberos v5 keytab file’s location.
krb_local_user_mapping (Optional[Apache::OnOff]) (defaults to: undef) —

Strips @REALM from usernames for further use.
krb_verify_kdc (Apache::OnOff) (defaults to: 'on') —

This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing attacks.
krb_servicename (String) (defaults to: 'HTTP') —

Specifies the service name that will be used by Apache for authentication. Corresponding key of this name must be stored in the keytab.
krb_save_credentials (Apache::OnOff) (defaults to: 'off') —

This option enables credential saving functionality.
logroot (Stdlib::Absolutepath) (defaults to: $apache::logroot) —

Specifies the location of the virtual host’s logfiles.
logroot_ensure (Enum['directory', 'absent']) (defaults to: 'directory') —

Determines whether or not to remove the logroot directory for a virtual host.
logroot_mode (Optional[Stdlib::Filemode]) (defaults to: undef) —

Overrides the mode the logroot directory is set to. Do not grant write access to the directory the logs are stored in without being aware of the consequences; for more information, see [Apache’s log security documentation](httpd.apache.org/docs/2.4/logs.html#security).
logroot_owner (Optional[String]) (defaults to: undef) —

Sets individual user access to the logroot directory.
logroot_group (Optional[String]) (defaults to: undef) —

Sets group access to the ‘logroot` directory.
log_level (Optional[Apache::LogLevel]) (defaults to: undef) —

Specifies the verbosity of the error log.
modsec_body_limit (Optional[String]) (defaults to: undef) —

Configures the maximum request body size (in bytes) ModSecurity accepts for buffering.
modsec_disable_vhost (Boolean) (defaults to: false) —

Disables ‘mod_security` on a virtual host. Only valid if `apache::mod::security` is included.
modsec_disable_ids (Optional[Variant[Hash, Array]]) (defaults to: undef) —
Removes ‘mod_security` IDs from the virtual host. Also takes a hash allowing removal of an ID from a specific location. “` puppet apache::vhost { ’sample.example.net’:
```
modsec_disable_ids => [ 90015, 90016 ],
```
} “‘

“‘ puppet apache::vhost { ’sample.example.net’:
```
modsec_disable_ids => { '/location1' => [ 90015, 90016 ] },
```
} “‘
modsec_disable_ips (Array[String[1]]) (defaults to: []) —

Specifies an array of IP addresses to exclude from ‘mod_security` rule matching.
modsec_disable_msgs (Optional[Variant[Hash, Array]]) (defaults to: undef) —
Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing removal of an Msg from a specific location. “‘ puppet apache::vhost { ’sample.example.net’:
```
modsec_disable_msgs => ['Blind SQL Injection Attack', 'Session Fixation Attack'],
```
} “‘ “` puppet apache::vhost { ’sample.example.net’:
```
modsec_disable_msgs => { '/location1' => ['Blind SQL Injection Attack', 'Session Fixation Attack'] },
```
} “‘
modsec_disable_tags (Optional[Variant[Hash, Array]]) (defaults to: undef) —
Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing removal of an Tag from a specific location. “‘ puppet apache::vhost { ’sample.example.net’:
```
modsec_disable_tags => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'],
```
} “‘ “` puppet apache::vhost { ’sample.example.net’:
```
modsec_disable_tags => { '/location1' => ['WEB_ATTACK/SQL_INJECTION', 'WEB_ATTACK/XSS'] },
```
} “‘
modsec_audit_log_file (Optional[String]) (defaults to: undef) —

If set, it is relative to ‘logroot`. One of the parameters that determines how to send `mod_security` audit log ([SecAuditLog](github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). If none of those parameters are set, the global audit log is used (`/var/log/httpd/modsec_audit.log`; Debian and derivatives: `/var/log/apache2/modsec_audit.log`; others: ).
modsec_audit_log_pipe (Optional[String]) (defaults to: undef) —

If ‘modsec_audit_log_pipe` is set, it should start with a pipe. Example `|/path/to/mlogc /path/to/mlogc.conf`. One of the parameters that determines how to send `mod_security` audit log ([SecAuditLog](github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). If none of those parameters are set, the global audit log is used (`/var/log/httpd/modsec_audit.log`; Debian and derivatives: `/var/log/apache2/modsec_audit.log`; others: ).
modsec_audit_log (Optional[Variant[String, Boolean]]) (defaults to: undef) —

If ‘modsec_audit_log` is `true`, given a virtual host —for instance, example.com— it defaults to `example.com_security_ssl.log` for SSL-encrypted virtual hosts and `example.com_security.log` for unencrypted virtual hosts. One of the parameters that determines how to send `mod_security` audit log ([SecAuditLog](github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)). If none of those parameters are set, the global audit log is used (`/var/log/httpd/modsec_audit.log`; Debian and derivatives: `/var/log/apache2/modsec_audit.log`; others: ).
modsec_inbound_anomaly_threshold (Optional[Integer[1, default]]) (defaults to: undef) —

Override the global scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
modsec_outbound_anomaly_threshold (Optional[Integer[1, default]]) (defaults to: undef) —

Override the global scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
modsec_allowed_methods (Optional[String]) (defaults to: undef) —

Override global allowed methods. A space-separated list of allowed HTTP methods.
no_proxy_uris (Variant[Array[String], String]) (defaults to: []) —

Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [‘proxy_dest`](#proxy_dest).
no_proxy_uris_match (Variant[Array[String], String]) (defaults to: []) —

This directive is equivalent to ‘no_proxy_uris`, but takes regular expressions.
proxy_preserve_host (Boolean) (defaults to: false) —

Sets the [ProxyPreserveHost Directive](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost). Setting this parameter to ‘true` enables the `Host:` line from an incoming request to be proxied to the host instead of hostname. Setting it to `false` sets this directive to ’Off’.
proxy_add_headers (Optional[Variant[String, Boolean]]) (defaults to: undef) —

Sets the [ProxyAddHeaders Directive](httpd.apache.org/docs/current/mod/mod_proxy.html#proxyaddheaders). This parameter controlls whether proxy-related HTTP headers (X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server) get sent to the backend server.
proxy_error_override (Boolean) (defaults to: false) —

Sets the [ProxyErrorOverride Directive](httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride). This directive controls whether Apache should override error pages for proxied content.
options (Array[String]) (defaults to: ['Indexes', 'FollowSymLinks', 'MultiViews']) —
Sets the [‘Options`](httpd.apache.org/docs/current/mod/core.html#options) for the specified virtual host. For example: “` puppet apache::vhost { ’site.name.fdqn’:
```
...
options => ['Indexes', 'FollowSymLinks', 'MultiViews'],
```
} “‘ > Note: If you use the `directories` parameter of `apache::vhost`, ’Options’, ‘Override’, and ‘DirectoryIndex’ are ignored because they are parameters within ‘directories`.
override (Array[String]) (defaults to: ['None']) —

Sets the overrides for the specified virtual host. Accepts an array of [AllowOverride](httpd.apache.org/docs/current/mod/core.html#allowoverride) arguments.
passenger_enabled (Optional[Boolean]) (defaults to: undef) —
Sets the value for the [PassengerEnabled](www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerEnabled) directive to ‘on` or `off`. Requires `apache::mod::passenger` to be included. “` puppet apache::vhost { ’sample.example.net’:
```
docroot     => '/path/to/directory',
directories => [
  { path              => '/path/to/directory',
    passenger_enabled => 'on',
  },
],
```
} “‘ > Note: There is an [issue](www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive.
passenger_base_uri (Optional[String]) (defaults to: undef) —
Sets [PassengerBaseURI](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbase_rui),
```
to specify that the given URI is a distinct application served by Passenger.
```
passenger_ruby (Optional[Stdlib::Absolutepath]) (defaults to: undef) —

Sets [PassengerRuby](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerruby), specifying the Ruby interpreter to use when serving the relevant web applications.
passenger_python (Optional[Stdlib::Absolutepath]) (defaults to: undef) —

Sets [PassengerPython](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpython), specifying the Python interpreter to use when serving the relevant web applications.
passenger_nodejs (Optional[Stdlib::Absolutepath]) (defaults to: undef) —

Sets the [‘PassengerNodejs`](www.phusionpassenger.com/docs/references/config_reference/apache/#passengernodejs), specifying Node.js command to use when serving the relevant web applications.
passenger_meteor_app_settings (Optional[String]) (defaults to: undef) —

Sets [PassengerMeteorAppSettings](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermeteorappsettings), specifying a JSON file with settings for the application when using a Meteor application in non-bundled mode.
passenger_app_env (Optional[String]) (defaults to: undef) —

Sets [PassengerAppEnv](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappenv), the environment for the Passenger application. If not specified, defaults to the global setting or ‘production’.
passenger_app_root (Optional[Stdlib::Absolutepath]) (defaults to: undef) —

Sets [PassengerRoot](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapproot), the location of the Passenger application root if different from the DocumentRoot.
passenger_app_group_name (Optional[String]) (defaults to: undef) —
Sets [PassengerAppGroupName](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappgroupname),
```
the name of the application group that the current application should belong to.
```
passenger_app_start_command (Optional[String]) (defaults to: undef) —
Sets [PassengerAppStartCommand](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerappstartcommand),
```
how Passenger should start your app on a specific port.
```
passenger_app_type (Optional[Enum['meteor', 'node', 'rack', 'wsgi']]) (defaults to: undef) —
Sets [PassengerAppType](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapptype),
```
to force Passenger to recognize the application as a specific type.
```
passenger_startup_file (Optional[String]) (defaults to: undef) —

Sets the [PassengerStartupFile](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstartupfile), path. This path is relative to the application root.
passenger_restart_dir (Optional[String]) (defaults to: undef) —
Sets the [PassengerRestartDir](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrestartdir),
```
to customize the directory in which `restart.txt` is searched for.
```
passenger_spawn_method (Optional[Enum['direct', 'smart']]) (defaults to: undef) —

Sets [PassengerSpawnMethod](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerspawnmethod), whether Passenger spawns applications directly, or using a prefork copy-on-write mechanism.
passenger_load_shell_envvars (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerLoadShellEnvvars](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerloadshellenvvars), to enable or disable the loading of shell environment variables before spawning the application.
passenger_preload_bundler (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerPreloadBundler](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerpreloadbundler), to enable or disable the loading of bundler before loading the application.
passenger_rolling_restarts (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerRollingRestarts](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerrollingrestarts), to enable or disable support for zero-downtime application restarts through ‘restart.txt`.
passenger_resist_deployment_errors (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerResistDeploymentErrors](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerresistdeploymenterrors), to enable or disable resistance against deployment errors.
passenger_user (Optional[String]) (defaults to: undef) —

Sets [PassengerUser](www.phusionpassenger.com/docs/references/config_reference/apache/#passengeruser), the running user for sandboxing applications.
passenger_group (Optional[String]) (defaults to: undef) —

Sets [PassengerGroup](www.phusionpassenger.com/docs/references/config_reference/apache/#passengergroup), the running group for sandboxing applications.
passenger_friendly_error_pages (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerFriendlyErrorPages](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerfriendlyerrorpages), which can display friendly error pages whenever an application fails to start. This friendly error page presents the startup error message, some suggestions for solving the problem, a backtrace and a dump of the environment variables.
passenger_min_instances (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMinInstances](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermininstances), the minimum number of application processes to run.
passenger_max_instances (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMaxInstances](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxinstances), the maximum number of application processes to run.
passenger_max_preloader_idle_time (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMaxPreloaderIdleTime](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxpreloaderidletime), the maximum amount of time the preloader waits before shutting down an idle process.
passenger_force_max_concurrent_requests_per_process (Optional[Integer]) (defaults to: undef) —

Sets [PassengerForceMaxConcurrentRequestsPerProcess](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerforcemaxconcurrentrequestsperprocess), the maximum amount of concurrent requests the application can handle per process.
passenger_start_timeout (Optional[Integer]) (defaults to: undef) —

Sets [PassengerStartTimeout](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstarttimeout), the timeout for the application startup.
passenger_concurrency_model (Optional[Enum['process', 'thread']]) (defaults to: undef) —
Sets [PassengerConcurrencyModel](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerconcurrencyodel), to specify the I/O concurrency model that should be used for Ruby application processes. Passenger supports two concurrency models: 
- ‘process` - single-threaded, multi-processed I/O concurrency.
- ‘thread` - multi-threaded, multi-processed I/O concurrency.
passenger_thread_count (Optional[Integer]) (defaults to: undef) —

Sets [PassengerThreadCount](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerthreadcount), the number of threads that Passenger should spawn per Ruby application process. This option only has effect if PassengerConcurrencyModel is ‘thread`.
passenger_max_requests (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMaxRequests](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequests), the maximum number of requests an application process will process.
passenger_max_request_time (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMaxRequestTime](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequesttime), the maximum amount of time, in seconds, that an application process may take to process a request.
passenger_memory_limit (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMemoryLimit](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermemorylimit), the maximum amount of memory that an application process may use, in megabytes.
passenger_stat_throttle_rate (Optional[Integer]) (defaults to: undef) —

Sets [PassengerStatThrottleRate](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstatthrottlerate), to set a limit, in seconds, on how often Passenger will perform it’s filesystem checks.
passenger_pre_start (Optional[Variant[String, Array[String]]]) (defaults to: undef) —

Sets [PassengerPreStart](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerprestart), the URL of the application if pre-starting is required.
passenger_high_performance (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerHighPerformance](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerhighperformance), to enhance performance in return for reduced compatibility.
passenger_buffer_upload (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerBufferUpload](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferupload), to buffer HTTP client request bodies before they are sent to the application.
passenger_buffer_response (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerBufferResponse](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerbufferresponse), to buffer Happlication-generated responses.
passenger_error_override (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerErrorOverride](www.phusionpassenger.com/docs/references/config_reference/apache/#passengererroroverride), to specify whether Apache will intercept and handle response with HTTP status codes of 400 and higher.
passenger_max_request_queue_size (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMaxRequestQueueSize](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuesize), to specify the maximum amount of requests that are allowed to queue whenever the maximum concurrent request limit is reached. If the queue is already at this specified limit, then Passenger immediately sends a “503 Service Unavailable” error to any incoming requests. A value of 0 means that the queue size is unbounded.
passenger_max_request_queue_time (Optional[Integer]) (defaults to: undef) —

Sets [PassengerMaxRequestQueueTime](www.phusionpassenger.com/docs/references/config_reference/apache/#passengermaxrequestqueuetime), to specify the maximum amount of time that requests are allowed to stay in the queue whenever the maximum concurrent request limit is reached. If a request reaches this specified limit, then Passenger immeaditly sends a “504 Gateway Timeout” error for that request. A value of 0 means that the queue time is unbounded.
passenger_sticky_sessions (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerStickySessions](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessions), to specify that, whenever possible, all requests sent by a client will be routed to the same originating application process.
passenger_sticky_sessions_cookie_name (Optional[String]) (defaults to: undef) —

Sets [PassengerStickySessionsCookieName](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookiename), to specify the name of the sticky sessions cookie.
passenger_sticky_sessions_cookie_attributes (Optional[String]) (defaults to: undef) —

Sets [PassengerStickySessionsCookieAttributes](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerstickysessionscookieattributes), the attributes of the sticky sessions cookie.
passenger_allow_encoded_slashes (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerAllowEncodedSlashes](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerallowencodedslashes), to allow URLs with encoded slashes. Please note that this feature will not work properly unless Apache’s ‘AllowEncodedSlashes` is also enabled.
passenger_app_log_file (Optional[String]) (defaults to: undef) —

Sets [PassengerAppLogFile](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerapplogfile), app specific messages logged to a different file in addition to Passenger log file.
passenger_debugger (Optional[Boolean]) (defaults to: undef) —

Sets [PassengerDebugger](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerdebugger), to turn support for Ruby application debugging on or off.
passenger_lve_min_uid (Optional[Integer]) (defaults to: undef) —

Sets [PassengerLveMinUid](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), to only allow the spawning of application processes with UIDs equal to, or higher than, this specified value on LVE-enabled kernels.
passenger_dump_config_manifest (Optional[String]) (defaults to: undef) —

Sets [PassengerLveMinUid](www.phusionpassenger.com/docs/references/config_reference/apache/#passengerlveminuid), to dump the configuration manifest to a file.
passenger_admin_panel_url (Optional[String]) (defaults to: undef) —

Sets [PassengerAdminPanelUrl](www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelurl), to specify the URL of the Passenger admin panel.
passenger_admin_panel_auth_type (Optional[Enum['basic']]) (defaults to: undef) —

Sets [PassengerAdminPanelAuthType](www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelauthtype), to specify the authentication type for the Passenger admin panel.
passenger_admin_panel_username (Optional[String]) (defaults to: undef) —

Sets [PassengerAdminPanelUsername](www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelusername), to specify the username for the Passenger admin panel.
passenger_admin_panel_password (Optional[String]) (defaults to: undef) —

Sets [PassengerAdminPanelPassword](www.phusionpassenger.com/docs/references/config_reference/apache/#passengeradminpanelpassword), to specify the password for the Passenger admin panel.
php_values (Hash) (defaults to: {}) —
Allows per-virtual host setting [‘php_value`s](php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application. Within a vhost declaration: “` puppet
```
php_values    => { 'include_path' => '.:/usr/local/example-app/include' },
```
“‘
php_flags (Hash) (defaults to: {}) —

Allows per-virtual host setting [‘php_flags``](php.net/manual/en/configuration.changes.php). These flags or values can be overwritten by a user or an application.
php_admin_values (Variant[Array[String], Hash]) (defaults to: {}) —

Allows per-virtual host setting [‘php_admin_value`](php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application.
php_admin_flags (Variant[Array[String], Hash]) (defaults to: {}) —

Allows per-virtual host setting [‘php_admin_flag`](php.net/manual/en/configuration.changes.php). These flags or values cannot be overwritten by a user or an application.
port (Optional[Variant[Array[Stdlib::Port], Stdlib::Port]]) (defaults to: undef) —

Sets the port the host is configured on. The module’s defaults ensure the host listens on port 80 for non-SSL virtual hosts and port 443 for SSL virtual hosts. The host only listens on the port set in this parameter.
priority (Optional[Apache::Vhost::Priority]) (defaults to: undef) —

Sets the relative load-order for Apache HTTPD VirtualHost configuration files. If nothing matches the priority, the first name-based virtual host is used. Likewise, passing a higher priority causes the alphabetically first name-based virtual host to be used if no other names match. > Note: You should not need to use this parameter. However, if you do use it, be aware that the ‘default_vhost` parameter for `apache::vhost` passes a priority of 15. To omit the priority prefix in file names, pass a priority of `false`.
protocols (Array[Enum['h2', 'h2c', 'http/1.1']]) (defaults to: []) —

Sets the [Protocols](httpd.apache.org/docs/current/en/mod/core.html#protocols) directive, which lists available protocols for the virutal host.
protocols_honor_order (Optional[Boolean]) (defaults to: undef) —

Sets the [ProtocolsHonorOrder](httpd.apache.org/docs/current/en/mod/core.html#protocolshonororder) directive which determines wether the order of Protocols sets precedence during negotiation.
proxy_dest (Optional[String]) (defaults to: undef) —

Specifies the destination address of a [ProxyPass](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration.

proxy_pass (Optional[Variant[Array[Hash], Hash]]) (defaults to: undef) —

Specifies an array of ‘path => URI` values for a [ProxyPass](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass) configuration. Optionally, parameters can be added as an array. “` puppet apache::vhost { ’site.name.fdqn’:

...
proxy_pass => [
  { 'path' => '/a', 'url' => 'http://backend-a/' },
  { 'path' => '/b', 'url' => 'http://backend-b/' },
  { 'path' => '/c', 'url' => 'http://backend-a/c', 'params' => {'max'=>20, 'ttl'=>120, 'retry'=>300}},
  { 'path' => '/l', 'url' => 'http://backend-xy',
    'reverse_urls' => ['http://backend-x', 'http://backend-y'] },
  { 'path' => '/d', 'url' => 'http://backend-a/d',
    'params' => { 'retry' => 0, 'timeout' => 5 }, },
  { 'path' => '/e', 'url' => 'http://backend-a/e',
    'keywords' => ['nocanon', 'interpolate'] },
  { 'path' => '/f', 'url' => 'http://backend-f/',
    'setenv' => ['proxy-nokeepalive 1', 'force-proxy-request-1.0 1']},
  { 'path' => '/g', 'url' => 'http://backend-g/',
    'reverse_cookies' => [{'path' => '/g', 'url' => 'http://backend-g/',}, {'domain' => 'http://backend-g', 'url' => 'http:://backend-g',},], },
  { 'path' => '/h', 'url' => 'http://backend-h/h',
    'no_proxy_uris' => ['/h/admin', '/h/server-status'] },
],

} “‘

‘reverse_urls`. Optional. This setting is useful when used with `mod_proxy_balancer`. Values: an array or string.
‘reverse_cookies`. Optional. Sets `ProxyPassReverseCookiePath` and `ProxyPassReverseCookieDomain`.
‘params`. Optional. Allows for ProxyPass key-value parameters, such as connection settings.
‘setenv`. Optional. Sets [environment variables](httpd.apache.org/docs/current/mod/mod_proxy.html#envsettings) for the proxy directive. Values: array.

proxy_dest_match (Optional[String]) (defaults to: undef) —

This directive is equivalent to ‘proxy_dest`, but takes regular expressions, see [ProxyPassMatch](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details.
proxy_dest_reverse_match (Optional[String]) (defaults to: undef) —

Allows you to pass a ProxyPassReverse if ‘proxy_dest_match` is specified. See [ProxyPassReverse](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse) for details.
proxy_pass_match (Optional[Variant[Array[Hash], Hash]]) (defaults to: undef) —

This directive is equivalent to ‘proxy_pass`, but takes regular expressions, see [ProxyPassMatch](httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch) for details.
redirect_dest (Optional[Variant[Array[String], String]]) (defaults to: undef) —

Specifies the address to redirect to.
redirect_source (Variant[String, Array[String]]) (defaults to: '/') —
Specifies the source URIs that redirect to the destination specified in ‘redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent. “` puppet apache::vhost { ’site.name.fdqn’:
```
...
redirect_source => ['/images', '/downloads'],
redirect_dest   => ['http://img.example.com/', 'http://downloads.example.com/'],
```
} “‘
redirect_status (Optional[Variant[Array[String], String]]) (defaults to: undef) —
Specifies the status to append to the redirect. “‘ puppet
```
apache::vhost { 'site.name.fdqn':
...
redirect_status => ['temp', 'permanent'],
```
} “‘
redirectmatch_regexp (Optional[Variant[Array[String], String]]) (defaults to: undef) —
Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as an array alongside redirectmatch_status and redirectmatch_dest. “‘ puppet apache::vhost { ’site.name.fdqn’:
```
...
redirectmatch_status => ['404', '404'],
redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'],
redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'],
```
} “‘
redirectmatch_status (Optional[Variant[Array[String], String]]) (defaults to: undef) —
Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as an array alongside redirectmatch_regexp and redirectmatch_dest. “‘ puppet apache::vhost { ’site.name.fdqn’:
```
...
redirectmatch_status => ['404', '404'],
redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'],
redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'],
```
} “‘
redirectmatch_dest (Optional[Variant[Array[String], String]]) (defaults to: undef) —
Determines which server status should be raised for a given regular expression and where to forward the user to. Entered as an array alongside redirectmatch_status and redirectmatch_regexp. “‘ puppet apache::vhost { ’site.name.fdqn’:
```
...
redirectmatch_status => ['404', '404'],
redirectmatch_regexp => ['\.git(/.*|$)/', '\.svn(/.*|$)'],
redirectmatch_dest => ['http://www.example.com/$1', 'http://www.example.com/$2'],
```
} “‘
request_headers (Array[String[1]]) (defaults to: []) —
Modifies collected [request headers](httpd.apache.org/docs/current/mod/mod_headers.html#requestheader) in various ways, including adding additional request headers, removing request headers, and so on. “‘ puppet apache::vhost { ’site.name.fdqn’:
```
...
request_headers => [
  'append MirrorID "mirror 12"',
  'unset MirrorID',
],
```
} “‘
rewrites (Array[Hash]) (defaults to: []) —
Creates URL rewrite rules. Expects an array of hashes. Valid Hash keys include ‘comment`, `rewrite_base`, `rewrite_cond`, `rewrite_rule` or `rewrite_map`. For example, you can specify that anyone trying to access index.html is served welcome.html “` puppet apache::vhost { ’site.name.fdqn’:
```
...
rewrites => [ { rewrite_rule => ['^index\.html$ welcome.html'] } ]
```
} “‘ The parameter allows rewrite conditions that, when `true`, execute the associated rule. For instance, if you wanted to rewrite URLs only if the visitor is using IE “` puppet apache::vhost { ’site.name.fdqn’:
```
...
rewrites => [
 {
 comment => 'redirect IE',
 rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'],
 rewrite_rule => ['^index\.html$ welcome.html'],
 },
],
```
} “‘ You can also apply multiple conditions. For instance, rewrite index.html to welcome.html only when the browser is Lynx or Mozilla (version 1 or 2) “` puppet apache::vhost { ’site.name.fdqn’:
```
...
rewrites => [
 {
 comment => 'Lynx or Mozilla v1/2',
 rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'],
 rewrite_rule => ['^index\.html$ welcome.html'],
 },
],
```
} “‘ Multiple rewrites and conditions are also possible “` puppet apache::vhost { ’site.name.fdqn’:
```
...
rewrites => [
 {
 comment => 'Lynx or Mozilla v1/2',
 rewrite_cond => ['%{HTTP_USER_AGENT} ^Lynx/ [OR]', '%{HTTP_USER_AGENT} ^Mozilla/[12]'],
 rewrite_rule => ['^index\.html$ welcome.html'],
 },
 {
 comment => 'Internet Explorer',
 rewrite_cond => ['%{HTTP_USER_AGENT} ^MSIE'],
 rewrite_rule => ['^index\.html$ /index.IE.html [L]'],
 },
 {
 rewrite_base => /apps/,
 rewrite_rule => ['^index\.cgi$ index.php', '^index\.html$ index.php', '^index\.asp$ index.html'],
 },
 { comment => 'Rewrite to lower case',
 rewrite_cond => ['%{REQUEST_URI} [A-Z]'],
 rewrite_map => ['lc int:tolower'],
 rewrite_rule => ['(.*) ${lc:$1} [R=301,L]'],
 },
],
```
} “‘ Refer to the [`mod_rewrite` documentation](httpd.apache.org/docs/2.4/mod/mod_rewrite.html) for more details on what is possible with rewrite rules and conditions. > Note: If you include rewrites in your directories, also include `apache::mod::rewrite` and consider setting the rewrites using the `rewrites` parameter in `apache::vhost` rather than setting the rewrites in the virtual host’s directories.
rewrite_base (Optional[String[1]]) (defaults to: undef) —

The parameter [‘rewrite_base`](httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase) specifies the URL prefix to be used for per-directory (htaccess) RewriteRule directives that substitue a relative path.
rewrite_rule (Optional[Variant[Array[String[1]], String[1]]]) (defaults to: undef) —

The parameter [‘rewrite_rile`](httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule) allows the user to define the rules that will be used by the rewrite engine.
rewrite_cond (Array[String[1]]) (defaults to: []) —

The parameter [‘rewrite_cond`](httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond) defines a rule condition, that when satisfied will implement that rule within the rewrite engine.
rewrite_inherit (Boolean) (defaults to: false) —
Determines whether the virtual host inherits global rewrite rules. Rewrite rules may be specified globally (in ‘$conf_file` or `$confd_dir`) or inside the virtual host `.conf` file. By default, virtual hosts do not inherit global settings. To activate inheritance, specify the `rewrites` parameter and set `rewrite_inherit` parameter to `true`: “` puppet apache::vhost { ’site.name.fdqn’:
```
...
rewrites => [
 <rules>,
],
rewrite_inherit => `true`,
```
} “‘ > Note: The `rewrites` parameter is required for this to have effect Apache activates global `Rewrite` rules inheritance if the virtual host files contains the following directives: “` ApacheConf RewriteEngine On RewriteOptions Inherit “` Refer to the official [`mod_rewrite`](httpd.apache.org/docs/2.2/mod/mod_rewrite.html) documentation, section “Rewriting in Virtual Hosts”.
scriptalias (Optional[String]) (defaults to: undef) —

Defines a directory of CGI scripts to be aliased to the path ‘/cgi-bin’, such as ‘/usr/scripts’.
serveradmin (Optional[String]) (defaults to: undef) —

Specifies the email address Apache displays when it renders one of its error pages.
serveraliases (Variant[Array[String], String]) (defaults to: []) —

Sets the [ServerAliases](httpd.apache.org/docs/current/mod/core.html#serveralias) of the site.
servername (Optional[String]) (defaults to: $name) —

Sets the servername corresponding to the hostname you connect to the virtual host at.
setenv (Variant[Array[String], String]) (defaults to: []) —
Used by HTTPD to set environment variables for virtual hosts. Example: “‘ puppet apache::vhost { ’setenv.example.com’:
```
setenv => ['SPECIAL_PATH /foo/bin'],
```
} “‘
setenvif (Variant[Array[String], String]) (defaults to: []) —

Used by HTTPD to conditionally set environment variables for virtual hosts.
setenvifnocase (Variant[Array[String], String]) (defaults to: []) —

Used by HTTPD to conditionally set environment variables for virtual hosts (caseless matching).
suexec_user_group (Optional[Pattern[/^[\w-]+ [\w-]+$/]]) (defaults to: undef) —

Allows the spcification of user and group execution privileges for CGI programs through inclusion of the ‘mod_suexec` module.
vhost_name (String) (defaults to: '*') —

Enables name-based virtual hosting. If no IP is passed to the virtual host, but the virtual host is assigned a port, then the virtual host name is ‘vhost_name:port`. If the virtual host has no assigned IP or port, the virtual host name is set to the title of the resource.
virtual_docroot (Variant[Stdlib::Absolutepath, Boolean]) (defaults to: false) —
Sets up a virtual host with a wildcard alias subdomain mapped to a directory with the same name. For example, ‘example.com` would map to `/var/www/example.com`. Note that the `DocumentRoot` directive will not be present even though there is a value set for `docroot` in the manifest. See [`virtual_use_default_docroot`](#virtual_use_default_docroot) to change this behavior. “` puppet apache::vhost { ’subdomain.loc’:
```
vhost_name      => '*',
port            => 80,
virtual_docroot => '/var/www/%-2+',
docroot         => '/var/www',
serveraliases   => ['*.loc',],
```
} “‘
virtual_use_default_docroot (Boolean) (defaults to: false) —
By default, when using ‘virtual_docroot`, the value of `docroot` is ignored. Setting this to `true` will mean both directives will be added to the configuration. “` puppet apache::vhost { ’subdomain.loc’:
```
vhost_name                  => '*',
port                        => 80,
virtual_docroot             => '/var/www/%-2+',
docroot                     => '/var/www',
virtual_use_default_docroot => true,
serveraliases               => ['*.loc',],
```
} “‘
wsgi_daemon_process (Optional[Variant[String, Hash]]) (defaults to: undef) —
Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process_options, wsgi_process_group, wsgi_script_aliases and wsgi_pass_authorization. A hash that sets the name of the WSGI daemon, accepting [certain keys](modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIDaemonProcess.html). An example virtual host configuration with WSGI: “‘ puppet apache::vhost { ’wsgi.example.com’:
```
port => 80,
docroot => '/var/www/pythonapp',
wsgi_daemon_process => 'wsgi',
wsgi_daemon_process_options =>
 { processes => 2,
 threads => 15,
 display-name => '%{GROUP}',
 },
wsgi_process_group => 'wsgi',
wsgi_script_aliases => { '/' => '/var/www/demo.wsgi' },
wsgi_chunked_request => 'On',
```
} “‘
wsgi_daemon_process_options (Optional[Hash]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_process_group, wsgi_script_aliases and wsgi_pass_authorization. Sets the group ID that the virtual host runs under.
wsgi_application_group (Optional[String]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization. This parameter defines the [‘WSGIApplicationGroup directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html), thus allowing you to specify which application group the WSGI application belongs to, with all WSGI applications within the same group executing within the context of the same Python sub interpreter.
wsgi_import_script (Optional[String]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization. This parameter defines the [‘WSGIImportScript directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), which can be used in order to specify a script file to be loaded upon a process starting.
wsgi_import_script_options (Optional[Hash]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization. This parameter defines the [‘WSGIImportScript directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIImportScript.html), which can be used in order to specify a script file to be loaded upon a process starting. Specifies the process and aplication groups of the script.
wsgi_chunked_request (Optional[Apache::OnOff]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization. This parameter defines the [‘WSGIChunkedRequest directive`](modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIChunkedRequest.html), allowing you to enable support for chunked request content. WSGI is technically incapable of supporting chunked request content without all chunked request content having first been read in and buffered.
wsgi_process_group (Optional[String]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_script_aliases and wsgi_pass_authorization. Requires a hash of web paths to filesystem ‘.wsgi paths/`.
wsgi_script_aliases (Optional[Hash]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization. Uses the WSGI application to handle authorization instead of Apache when set to ‘On`. For more information, see mod_wsgi’s [WSGIPassAuthorization documentation](modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html).
wsgi_script_aliases_match (Optional[Hash]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group, and wsgi_pass_authorization. Uses the WSGI application to handle authorization instead of Apache when set to ‘On`. This directive is similar to `wsgi_script_aliases`, but makes use of regular expressions in place of simple prefix matching. For more information, see mod_wsgi’s [WSGIPassAuthorization documentation](modwsgi.readthedocs.org/en/latest/configuration-directives/WSGIPassAuthorization.html).
wsgi_pass_authorization (Optional[Apache::OnOff]) (defaults to: undef) —

Sets up a virtual host with [WSGI](github.com/GrahamDumpleton/mod_wsgi) alongside wsgi_daemon_process, wsgi_daemon_process_options, wsgi_process_group and wsgi_script_aliases. Enables support for chunked requests.

directories (Array[Hash]) (defaults to: []) —

The ‘directories` parameter within the `apache::vhost` class passes an array of hashes to the virtual host to create [Directory](httpd.apache.org/docs/current/mod/core.html#directory), [File](httpd.apache.org/docs/current/mod/core.html#files), and [Location](httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, `< Directory /path/to/directory>…< /Directory>`. The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the `directory`, `files`, and `location` providers, or a regex for the `directorymatch`, `filesmatch`, or `locationmatch` providers. Each hash passed to `directories` must contain `path` as one of the keys. The `provider` key is optional. If missing, this key defaults to `directory`.

Values: `directory`, `files`, `proxy`, `location`, `directorymatch`, `filesmatch`,

‘proxymatch` or `locationmatch`. If you set `provider` to `directorymatch`, it uses the keyword `DirectoryMatch` in the Apache config file. proxy_pass and proxy_pass_match are supported like their parameters to apache::vhost, and will be rendered without their path parameter as this will be inherited from the Location/LocationMatch container. An example use of `directories`: “` puppet apache::vhost { ’files.example.net’:

docroot     => '/var/www/files',
directories => [
  { 'path'     => '/var/www/files',
    'provider' => 'files',
    'deny'     => 'from all',
  },
  { 'path'           => '/var/www/html',
    'provider'       => 'directory',
    'options'        => ['-Indexes'],
    'allow_override' => ['All'],
  },
],

} “‘ > Note: At least one directory should match the `docroot` parameter. After you start declaring directories, `apache::vhost` assumes that all required Directory blocks will be declared. If not defined, a single default Directory block is created that matches the `docroot` parameter. Available handlers, represented as keys, should be placed within the `directory`, `files`, or `location` hashes. This looks like “` puppet apache::vhost { ’sample.example.net’:

docroot     => '/path/to/directory',
directories => [ { path => '/path/to/directory', handler => value } ],

} “‘ Any handlers you do not set in these hashes are considered `undefined` within Puppet and are not added to the virtual host, resulting in the module using their default values.

The ‘directories` param can accepts the different authentication ways, including `gssapi`, `Basic (authz_core)`, and others.

* `gssapi` - Specifies mod_auth_gssapi parameters for particular directories in a virtual host directory
  TODO: check, if this Documentation is obsolete

  ```puppet
  apache::vhost { 'sample.example.net':
    docroot     => '/path/to/directory',
    directories => [
      { path   => '/path/to/different/dir',
        gssapi => {
          acceptor_name            => '{HOSTNAME}',
          allowed_mech             => ['krb5', 'iakerb', 'ntlmssp'],
          authname                 => 'Kerberos 5',
          authtype                 => 'GSSAPI',
          basic_auth               => true,
          basic_auth_mech          => ['krb5', 'iakerb', 'ntlmssp'],
          basic_ticket_timeout     => 300,
          connection_bound         => true,
          cred_store               => {
            ccache        => ['/path/to/directory'],
            client_keytab => ['/path/to/example.keytab'],
            keytab        => ['/path/to/example.keytab'],
          },
          deleg_ccache_dir         => '/path/to/directory',
          deleg_ccache_env_var     => 'KRB5CCNAME',
          deleg_ccache_perms       => {
            mode => '0600',
            uid  => 'example-user',
            gid  => 'example-group',
          },
          deleg_ccache_unique      => true,
          impersonate              => true,
          local_name               => true,
          name_attributes          => 'json',
          negotiate_once           => true,
          publish_errors           => true,
          publish_mech             => true,
          required_name_attributes =>	'auth-indicators=high',
          session_key              => 'file:/path/to/example.key',
          signal_persistent_auth   => true,
          ssl_only                 => true,
          use_s4u2_proxy           => true,
          use_sessions             => true,
        }
      },
    ],
  }
  ```

* `Basic` - Specifies mod_authz_core parameters for particular directories in a virtual host directory
  ```puppet
  apache::vhost { 'sample.example.net':
    docroot     => '/path/to/directory',
    directories => [
      {
        path        => '/path/to/different/dir',
        auth_type => 'Basic',
        authz_core  => {
          require_all => {
            'require_any' => {
              'require' => ['user superadmin'],
              'require_all' => {
                'require' => ['group admins', 'ldap-group "cn=Administrators,o=Airius"'],
              },
            },
            'require_none' => {
              'require' => ['group temps', 'ldap-group "cn=Temporary Employees,o=Airius"']
            }
          }
        }
      },
    ],
  }
  ```

custom_fragment (Optional[String]) (defaults to: undef) —
Pass a string of custom configuration directives to be placed at the end of the directory configuration. “‘ puppet apache::vhost { ’monitor’:
```
...
directories => [
 {
 path => '/path/to/directory',
 custom_fragment => '
```
<Location /balancer-manager>
```
SetHandler balancer-manager
Order allow,deny
Allow from all
```
</Location> <Location /server-status>
```
SetHandler server-status
Order allow,deny
Allow from all
```
</Location> ProxyStatus On’,
```
 },
]
```
} “‘
headers (Array[String[1]]) (defaults to: []) —
Adds lines for [Header](httpd.apache.org/docs/current/mod/mod_headers.html#header) directives. “‘ puppet apache::vhost { ’sample.example.net’:
```
docroot     => '/path/to/directory',
directories => [
  {
    path    => '/path/to/directory',
    headers => 'Set X-Robots-Tag "noindex, noarchive, nosnippet"',
  },
],
```
} “‘
shib_compat_valid_user (Optional[String]) (defaults to: undef) —

Default is Off, matching the behavior prior to this command’s existence. Addresses a conflict when using Shibboleth in conjunction with other auth/auth modules by restoring ‘standard` Apache behavior when processing the `valid-user` and `user` Require rules. See the [`mod_shib`documentation](wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions), and [NativeSPhtaccess](wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess) topic for more details. This key is disabled if `apache::mod::shib` is not defined.
ssl_options (Optional[Variant[Array[String], String]]) (defaults to: undef) —
String or list of [SSLOptions](httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions), which configure SSL engine run-time options. This handler takes precedence over SSLOptions set in the parent block of the virtual host. “‘ puppet apache::vhost { ’secure.example.net’:
```
docroot     => '/path/to/directory',
directories => [
  { path        => '/path/to/directory',
    ssl_options => '+ExportCertData',
  },
  { path        => '/path/to/different/dir',
    ssl_options => ['-StdEnvVars', '+ExportCertData'],
  },
],
```
} “‘
additional_includes (Variant[Array[String], String]) (defaults to: []) —
Specifies paths to additional static, specific Apache configuration files in virtual host directories. “‘ puppet apache::vhost { ’sample.example.net’:
```
docroot     => '/path/to/directory',
directories => [
  { path  => '/path/to/different/dir',
    additional_includes => ['/custom/path/includes', '/custom/path/another_includes',],
  },
],
```
} “‘
ssl (Boolean) (defaults to: false) —

Enables SSL for the virtual host. SSL virtual hosts only respond to HTTPS queries.
ssl_ca (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_ca) —

Specifies the SSL certificate authority to be used to verify client certificates used for authentication.
ssl_cert (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_cert) —

Specifies the SSL certification.
ssl_protocol (Optional[Variant[Array[String], String]]) (defaults to: undef) —

Specifies [SSLProtocol](httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol). Expects an array or space separated string of accepted protocols.
ssl_cipher (Optional[Variant[Array[String[1]], String[1], Hash[String[1], String[1]]]]) (defaults to: undef) —

Specifies [SSLCipherSuite](httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite).
ssl_honorcipherorder (Variant[Boolean, Apache::OnOff, Undef]) (defaults to: undef) —

Sets [SSLHonorCipherOrder](httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder), to cause Apache to use the server’s preferred order of ciphers rather than the client’s preferred order.
ssl_certs_dir (Optional[Stdlib::Absolutepath]) (defaults to: $apache::params::ssl_certs_dir) —

Specifies the location of the SSL certification directory to verify client certs.
ssl_chain (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_chain) —

Specifies the SSL chain. This default works out of the box, but it must be updated in the base ‘apache` class with your specific certificate information before being used in production.
ssl_crl (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_crl) —

Specifies the certificate revocation list to use. (This default works out of the box but must be updated in the base ‘apache` class with your specific certificate information before being used in production.)
ssl_crl_path (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_crl_path) —

Specifies the location of the certificate revocation list to verify certificates for client authentication with. (This default works out of the box but must be updated in the base ‘apache` class with your specific certificate information before being used in production.)
ssl_crl_check (Optional[String]) (defaults to: $apache::default_ssl_crl_check) —

Sets the certificate revocation check level via the [SSLCARevocationCheck directive](httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck) for ssl client authentication. The default works out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher; the value is ignored on older versions.
ssl_key (Optional[Stdlib::Absolutepath]) (defaults to: $apache::default_ssl_key) —

Specifies the SSL key. Defaults are based on your operating system. Default work out of the box but must be updated in the base ‘apache` class with your specific certificate information before being used in production.
ssl_verify_client (Optional[Enum['none', 'optional', 'require', 'optional_no_ca']]) (defaults to: undef) —
Sets the [SSLVerifyClient](httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient) directive, which sets the certificate verification level for client authentication. “‘ puppet apache::vhost { ’sample.example.net’:
```
...
ssl_verify_client => 'optional',
```
} “‘
ssl_verify_depth (Optional[Integer]) (defaults to: undef) —
Sets the [SSLVerifyDepth](httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifydepth) directive, which specifies the maximum depth of CA certificates in client certificate verification. You must set ‘ssl_verify_client` for it to take effect. “` puppet apache::vhost { ’sample.example.net’:
```
...
ssl_verify_client => 'require',
ssl_verify_depth => 1,
```
} “‘
ssl_proxy_protocol (Optional[String]) (defaults to: undef) —

Sets the [SSLProxyProtocol](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyprotocol) directive, which controls which SSL protocol flavors ‘mod_ssl` should use when establishing its server environment for proxy. It connects to servers using only one of the provided protocols.
ssl_proxy_verify (Optional[Enum['none', 'optional', 'require', 'optional_no_ca']]) (defaults to: undef) —

Sets the [SSLProxyVerify](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverify) directive, which configures certificate verification of the remote server when a proxy is configured to forward requests to a remote SSL server.
ssl_proxy_verify_depth (Optional[Integer[0]]) (defaults to: undef) —

Sets the [SSLProxyVerifyDepth](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyverifydepth) directive, which configures how deeply mod_ssl should verify before deciding that the remote server does not have a valid certificate. A depth of 0 means that only self-signed remote server certificates are accepted, the default depth of 1 means the remote server certificate can be self-signed or signed by a CA that is directly known to the server.
ssl_proxy_cipher_suite (Optional[String]) (defaults to: undef) —

Sets the [SSLProxyCipherSuite](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite) directive, which controls cipher suites supported for ssl proxy traffic.
ssl_proxy_ca_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef) —

Sets the [SSLProxyCACertificateFile](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycacertificatefile) directive, which specifies an all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose remote servers you deal with. These are used for Remote Server Authentication. This file should be a concatenation of the PEM-encoded certificate files in order of preference.
ssl_proxy_machine_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef) —
Sets the [SSLProxyMachineCertificateFile](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers. This file should be a concatenation of the PEM-encoded certificate files in order of preference. “‘ puppet apache::vhost { ’sample.example.net’:
```
...
ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem',
```
} “‘
ssl_proxy_machine_cert_chain (Optional[Stdlib::Absolutepath]) (defaults to: undef) —

Sets the [SSLProxyMachineCertificateChainFile](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatechainfile) directive, which specifies an all-in-one file where you keep the certificate chain for all of the client certs in use. This directive will be needed if the remote server presents a list of CA certificates that are not direct signers of one of the configured client certificates. This referenced file is simply the concatenation of the various PEM-encoded certificate files. Upon startup, each client certificate configured will be examined and a chain of trust will be constructed.
ssl_proxy_check_peer_cn (Optional[Apache::OnOff]) (defaults to: undef) —

Sets the [SSLProxyCheckPeerCN](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeercn) directive, which specifies whether the remote server certificate’s CN field is compared against the hostname of the request URL.
ssl_proxy_check_peer_name (Optional[Apache::OnOff]) (defaults to: undef) —

Sets the [SSLProxyCheckPeerName](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeername) directive, which specifies whether the remote server certificate’s CN field is compared against the hostname of the request URL.
ssl_proxy_check_peer_expire (Optional[Apache::OnOff]) (defaults to: undef) —

Sets the [SSLProxyCheckPeerExpire](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxycheckpeerexpire) directive, which specifies whether the remote server certificate is checked for expiration or not.
ssl_openssl_conf_cmd (Optional[String]) (defaults to: undef) —

Sets the [SSLOpenSSLConfCmd](httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters.
ssl_proxyengine (Boolean) (defaults to: false) —

Specifies whether or not to use [SSLProxyEngine](httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine).
ssl_stapling (Optional[Boolean]) (defaults to: undef) —

Specifies whether or not to use [SSLUseStapling](httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling). By default, uses what is set globally. This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
ssl_stapling_timeout (Optional[Integer]) (defaults to: undef) —

Can be used to set the [SSLStaplingResponderTimeout](httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingrespondertimeout) directive. This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
ssl_stapling_return_errors (Optional[Apache::OnOff]) (defaults to: undef) —

Can be used to set the [SSLStaplingReturnResponderErrors](httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive. This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
ssl_user_name (Optional[String]) (defaults to: undef) —

Sets the [SSLUserName](httpd.apache.org/docs/current/mod/mod_ssl.html#sslusername) directive.
ssl_reload_on_change (Boolean) (defaults to: $apache::default_ssl_reload_on_change) —

Enable reloading of apache if the content of ssl files have changed.
use_canonical_name (Optional[Variant[Apache::OnOff, Enum['DNS', 'dns']]]) (defaults to: undef) —

Specifies whether to use the [‘UseCanonicalName directive`](httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname), which allows you to configure how the server determines it’s own name and port.
define (Hash) (defaults to: {}) —

this lets you define configuration variables inside a vhost using [‘Define`](httpd.apache.org/docs/2.4/mod/core.html#define), these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost.
auth_oidc (Boolean) (defaults to: false) —

Enable ‘mod_auth_openidc` parameters for OpenID Connect authentication.
oidc_settings (Apache::OIDCSettings) (defaults to: {}) —

An Apache::OIDCSettings Struct containing (mod_auth_openidc settings).
limitreqfields (Optional[Integer]) (defaults to: undef) —

The ‘limitreqfields` parameter sets the maximum number of request header fields in an HTTP request. This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks. The value should be increased if normal clients see an error response from the server that indicates too many fields were sent in the request.
limitreqfieldsize (Optional[Integer]) (defaults to: undef) —

The ‘limitreqfieldsize` parameter sets the maximum ammount of bytes that will be allowed within a request header.
limitreqline (Optional[Integer]) (defaults to: undef) —

Limit the size of the HTTP request line that will be accepted from the client This directive sets the number of bytes that will be allowed on the HTTP request-line. The LimitRequestLine directive allows the server administrator to set the limit on the allowed size of a client’s HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the LimitRequestLine directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a GET request.
limitreqbody (Optional[Integer]) (defaults to: undef) —

Restricts the total size of the HTTP request body sent from the client The LimitRequestBody directive allows the user to set a limit on the allowed size of an HTTP request message body within the context in which the directive is given (server, per-directory, per-file or per-location). If the client request exceeds that limit, the server will return an error response instead of servicing the request.
use_servername_for_filenames (Boolean) (defaults to: false) —

When set to true, default log / config file names will be derived from the sanitized value of the $servername parameter. When set to false (default), the existing behaviour of using the $name parameter will remain.
use_port_for_filenames (Boolean) (defaults to: false) —

When set to true and use_servername_for_filenames is also set to true, default log / config file names will be derived from the sanitized value of both the $servername and $port parameters. When set to false (default), the port is not included in the file names and may lead to duplicate declarations if two virtual hosts use the same domain.
mdomain (Optional[Variant[Boolean, String]]) (defaults to: undef) —

All the names in the list are managed as one Managed Domain (MD). mod_md will request one single certificate that is valid for all these names.
proxy_requests (Boolean) (defaults to: false) —

Whether to accept proxy requests
userdir (Optional[Variant[String[1], Array[String[1]]]]) (defaults to: undef) —

Instances of apache::mod::userdir

# File 'manifests/vhost.pp', line 1708

define apache::vhost (
  Variant[Stdlib::Absolutepath, Boolean] $docroot,
  Boolean $manage_docroot                                                             = true,
  Variant[Stdlib::Absolutepath, Boolean] $virtual_docroot                             = false,
  Boolean $virtual_use_default_docroot                                                = false,
  Optional[Variant[Array[Stdlib::Port], Stdlib::Port]] $port                          = undef,
  Optional[
    Variant[
      Array[Variant[Stdlib::IP::Address, Enum['*']]],
      Variant[Stdlib::IP::Address, Enum['*']]
    ]
  ] $ip                                                                               = undef,
  Boolean $ip_based                                                                   = false,
  Boolean $add_listen                                                                 = true,
  String $docroot_owner                                                               = 'root',
  String $docroot_group                                                               = $apache::params::root_group,
  Optional[Stdlib::Filemode] $docroot_mode                                            = undef,
  Array[Enum['h2', 'h2c', 'http/1.1']] $protocols                                     = [],
  Optional[Boolean] $protocols_honor_order                                            = undef,
  Optional[String] $serveradmin                                                       = undef,
  Boolean $ssl                                                                        = false,
  Optional[Stdlib::Absolutepath] $ssl_cert                                            = $apache::default_ssl_cert,
  Optional[Stdlib::Absolutepath] $ssl_key                                             = $apache::default_ssl_key,
  Optional[Stdlib::Absolutepath] $ssl_chain                                           = $apache::default_ssl_chain,
  Optional[Stdlib::Absolutepath] $ssl_ca                                              = $apache::default_ssl_ca,
  Optional[Stdlib::Absolutepath] $ssl_crl_path                                        = $apache::default_ssl_crl_path,
  Optional[Stdlib::Absolutepath] $ssl_crl                                             = $apache::default_ssl_crl,
  Optional[String] $ssl_crl_check                                                     = $apache::default_ssl_crl_check,
  Optional[Stdlib::Absolutepath] $ssl_certs_dir                                       = $apache::params::ssl_certs_dir,
  Boolean $ssl_reload_on_change                                                       = $apache::default_ssl_reload_on_change,
  Optional[Variant[Array[String], String]] $ssl_protocol                              = undef,
  Optional[Variant[Array[String[1]], String[1], Hash[String[1], String[1]]]] $ssl_cipher = undef,
  Variant[Boolean, Apache::OnOff, Undef] $ssl_honorcipherorder                        = undef,
  Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_verify_client  = undef,
  Optional[Integer] $ssl_verify_depth                                                 = undef,
  Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_proxy_verify   = undef,
  Optional[Integer[0]] $ssl_proxy_verify_depth                                        = undef,
  Optional[Stdlib::Absolutepath] $ssl_proxy_ca_cert                                   = undef,
  Optional[Apache::OnOff] $ssl_proxy_check_peer_cn                                    = undef,
  Optional[Apache::OnOff] $ssl_proxy_check_peer_name                                  = undef,
  Optional[Apache::OnOff] $ssl_proxy_check_peer_expire                                = undef,
  Optional[Stdlib::Absolutepath] $ssl_proxy_machine_cert                              = undef,
  Optional[Stdlib::Absolutepath] $ssl_proxy_machine_cert_chain                        = undef,
  Optional[String] $ssl_proxy_cipher_suite                                            = undef,
  Optional[String] $ssl_proxy_protocol                                                = undef,
  Optional[Variant[Array[String], String]] $ssl_options                               = undef,
  Optional[String] $ssl_openssl_conf_cmd                                              = undef,
  Boolean $ssl_proxyengine                                                            = false,
  Optional[Boolean] $ssl_stapling                                                     = undef,
  Optional[Integer] $ssl_stapling_timeout                                             = undef,
  Optional[Apache::OnOff] $ssl_stapling_return_errors                                 = undef,
  Optional[String] $ssl_user_name                                                     = undef,
  Optional[Apache::Vhost::Priority] $priority                                         = undef,
  Boolean $default_vhost                                                              = false,
  Optional[String] $servername                                                        = $name,
  Variant[Array[String], String] $serveraliases                                       = [],
  Array[String] $options                                                              = ['Indexes', 'FollowSymLinks', 'MultiViews'],
  Array[String] $override                                                             = ['None'],
  Optional[String] $directoryindex                                                    = undef,
  String $vhost_name                                                                  = '*',
  Stdlib::Absolutepath $logroot                                                       = $apache::logroot,
  Enum['directory', 'absent'] $logroot_ensure                                         = 'directory',
  Optional[Stdlib::Filemode] $logroot_mode                                            = undef,
  Optional[String] $logroot_owner                                                     = undef,
  Optional[String] $logroot_group                                                     = undef,
  Optional[Apache::LogLevel] $log_level                                               = undef,
  Boolean $access_log                                                                 = true,
  Optional[String[1]] $access_log_file                                                = undef,
  Optional[String[1]] $access_log_pipe                                                = undef,
  Optional[Variant[String, Boolean]] $access_log_syslog                               = undef,
  Optional[String[1]] $access_log_format                                              = undef,
  Optional[Variant[Boolean, String]] $access_log_env_var                              = undef,
  Optional[Array[Hash]] $access_logs                                                  = undef,
  Boolean $use_servername_for_filenames                                               = false,
  Boolean $use_port_for_filenames                                                     = false,
  Array[Hash[String[1], String[1]]] $aliases                                          = [],
  Array[Hash] $directories                                                            = [],
  Boolean $error_log                                                                  = true,
  Optional[String] $error_log_file                                                    = undef,
  Optional[String] $error_log_pipe                                                    = undef,
  Optional[Variant[String, Boolean]] $error_log_syslog                                = undef,
  Optional[
    Array[
      Variant[
        String,
        Hash[String, Enum['connection', 'request']]
      ]
    ]
  ] $error_log_format                                                                 = undef,
  Optional[Pattern[/^((Strict|Unsafe)?\s*(\b(Registered|Lenient)Methods)?\s*(\b(Allow0\.9|Require1\.0))?)$/]] $http_protocol_options = undef,
  Optional[Variant[String, Boolean]] $modsec_audit_log                                = undef,
  Optional[String] $modsec_audit_log_file                                             = undef,
  Optional[String] $modsec_audit_log_pipe                                             = undef,
  Variant[Array[Hash], String] $error_documents                                       = [],
  Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]] $fallbackresource         = undef,
  Optional[String] $scriptalias                                                       = undef,
  Optional[Integer] $limitreqfieldsize                                                = undef,
  Optional[Integer] $limitreqfields                                                   = undef,
  Optional[Integer] $limitreqline                                                     = undef,
  Optional[Integer] $limitreqbody                                                     = undef,
  Optional[String] $proxy_dest                                                        = undef,
  Optional[String] $proxy_dest_match                                                  = undef,
  Optional[String] $proxy_dest_reverse_match                                          = undef,
  Optional[Variant[Array[Hash], Hash]] $proxy_pass                                    = undef,
  Optional[Variant[Array[Hash], Hash]] $proxy_pass_match                              = undef,
  Boolean $proxy_requests                                                             = false,
  Hash $php_flags                                                                     = {},
  Hash $php_values                                                                    = {},
  Variant[Array[String], Hash] $php_admin_flags                                       = {},
  Variant[Array[String], Hash] $php_admin_values                                      = {},
  Variant[Array[String], String] $no_proxy_uris                                       = [],
  Variant[Array[String], String] $no_proxy_uris_match                                 = [],
  Boolean $proxy_preserve_host                                                        = false,
  Optional[Variant[String, Boolean]] $proxy_add_headers                               = undef,
  Boolean $proxy_error_override                                                       = false,
  Variant[String, Array[String]] $redirect_source                                     = '/',
  Optional[Variant[Array[String], String]] $redirect_dest                             = undef,
  Optional[Variant[Array[String], String]] $redirect_status                           = undef,
  Optional[Variant[Array[String], String]] $redirectmatch_status                      = undef,
  Optional[Variant[Array[String], String]] $redirectmatch_regexp                      = undef,
  Optional[Variant[Array[String], String]] $redirectmatch_dest                        = undef,
  Array[String[1]] $headers                                                           = [],
  Array[String[1]] $request_headers                                                   = [],
  Array[String[1]] $filters                                                           = [],
  Array[Hash] $rewrites                                                               = [],
  Optional[String[1]] $rewrite_base                                                   = undef,
  Optional[Variant[Array[String[1]], String[1]]] $rewrite_rule                        = undef,
  Array[String[1]] $rewrite_cond                                                      = [],
  Boolean $rewrite_inherit                                                            = false,
  Variant[Array[String], String] $setenv                                              = [],
  Variant[Array[String], String] $setenvif                                            = [],
  Variant[Array[String], String] $setenvifnocase                                      = [],
  Variant[Array[String], String] $block                                               = [],
  Enum['absent', 'present'] $ensure                                                   = 'present',
  Boolean $show_diff                                                                  = true,
  Optional[String] $wsgi_application_group                                            = undef,
  Optional[Variant[String, Hash]] $wsgi_daemon_process                                = undef,
  Optional[Hash] $wsgi_daemon_process_options                                         = undef,
  Optional[String] $wsgi_import_script                                                = undef,
  Optional[Hash] $wsgi_import_script_options                                          = undef,
  Optional[String] $wsgi_process_group                                                = undef,
  Optional[Hash] $wsgi_script_aliases_match                                           = undef,
  Optional[Hash] $wsgi_script_aliases                                                 = undef,
  Optional[Apache::OnOff] $wsgi_pass_authorization                                    = undef,
  Optional[Apache::OnOff] $wsgi_chunked_request                                       = undef,
  Optional[String] $custom_fragment                                                   = undef,
  Optional[Hash] $itk                                                                 = undef,
  Optional[String] $action                                                            = undef,
  Variant[Array[String], String] $additional_includes                                 = [],
  Boolean $use_optional_includes                                                      = $apache::use_optional_includes,
  Optional[Variant[Apache::OnOff, Enum['nodecode']]] $allow_encoded_slashes           = undef,
  Optional[Pattern[/^[\w-]+ [\w-]+$/]] $suexec_user_group                             = undef,

  Optional[Boolean] $h2_copy_files                                                    = undef,
  Optional[Boolean] $h2_direct                                                        = undef,
  Optional[Boolean] $h2_early_hints                                                   = undef,
  Optional[Integer] $h2_max_session_streams                                           = undef,
  Optional[Boolean] $h2_modern_tls_only                                               = undef,
  Optional[Boolean] $h2_push                                                          = undef,
  Optional[Integer] $h2_push_diary_size                                               = undef,
  Array[String]     $h2_push_priority                                                 = [],
  Array[String]     $h2_push_resource                                                 = [],
  Optional[Boolean] $h2_serialize_headers                                             = undef,
  Optional[Integer] $h2_stream_max_mem_size                                           = undef,
  Optional[Integer] $h2_tls_cool_down_secs                                            = undef,
  Optional[Integer] $h2_tls_warm_up_size                                              = undef,
  Optional[Boolean] $h2_upgrade                                                       = undef,
  Optional[Integer] $h2_window_size                                                   = undef,

  Optional[Boolean] $passenger_enabled                                                = undef,
  Optional[String] $passenger_base_uri                                                = undef,
  Optional[Stdlib::Absolutepath] $passenger_ruby                                      = undef,
  Optional[Stdlib::Absolutepath] $passenger_python                                    = undef,
  Optional[Stdlib::Absolutepath] $passenger_nodejs                                    = undef,
  Optional[String] $passenger_meteor_app_settings                                     = undef,
  Optional[String] $passenger_app_env                                                 = undef,
  Optional[Stdlib::Absolutepath] $passenger_app_root                                  = undef,
  Optional[String] $passenger_app_group_name                                          = undef,
  Optional[String] $passenger_app_start_command                                       = undef,
  Optional[Enum['meteor', 'node', 'rack', 'wsgi']] $passenger_app_type                = undef,
  Optional[String] $passenger_startup_file                                            = undef,
  Optional[String] $passenger_restart_dir                                             = undef,
  Optional[Enum['direct', 'smart']] $passenger_spawn_method                           = undef,
  Optional[Boolean] $passenger_load_shell_envvars                                     = undef,
  Optional[Boolean] $passenger_preload_bundler                                        = undef,
  Optional[Boolean] $passenger_rolling_restarts                                       = undef,
  Optional[Boolean] $passenger_resist_deployment_errors                               = undef,
  Optional[String] $passenger_user                                                    = undef,
  Optional[String] $passenger_group                                                   = undef,
  Optional[Boolean] $passenger_friendly_error_pages                                   = undef,
  Optional[Integer] $passenger_min_instances                                          = undef,
  Optional[Integer] $passenger_max_instances                                          = undef,
  Optional[Integer] $passenger_max_preloader_idle_time                                = undef,
  Optional[Integer] $passenger_force_max_concurrent_requests_per_process              = undef,
  Optional[Integer] $passenger_start_timeout                                          = undef,
  Optional[Enum['process', 'thread']] $passenger_concurrency_model                    = undef,
  Optional[Integer] $passenger_thread_count                                           = undef,
  Optional[Integer] $passenger_max_requests                                           = undef,
  Optional[Integer] $passenger_max_request_time                                       = undef,
  Optional[Integer] $passenger_memory_limit                                           = undef,
  Optional[Integer] $passenger_stat_throttle_rate                                     = undef,
  Optional[Variant[String, Array[String]]] $passenger_pre_start                       = undef,
  Optional[Boolean] $passenger_high_performance                                       = undef,
  Optional[Boolean] $passenger_buffer_upload                                          = undef,
  Optional[Boolean] $passenger_buffer_response                                        = undef,
  Optional[Boolean] $passenger_error_override                                         = undef,
  Optional[Integer] $passenger_max_request_queue_size                                 = undef,
  Optional[Integer] $passenger_max_request_queue_time                                 = undef,
  Optional[Boolean] $passenger_sticky_sessions                                        = undef,
  Optional[String] $passenger_sticky_sessions_cookie_name                             = undef,
  Optional[String] $passenger_sticky_sessions_cookie_attributes                       = undef,
  Optional[Boolean] $passenger_allow_encoded_slashes                                  = undef,
  Optional[String] $passenger_app_log_file                                            = undef,
  Optional[Boolean] $passenger_debugger                                               = undef,
  Optional[Integer] $passenger_lve_min_uid                                            = undef,
  Optional[String] $passenger_admin_panel_url                                         = undef,
  Optional[Enum['basic']] $passenger_admin_panel_auth_type                            = undef,
  Optional[String] $passenger_admin_panel_username                                    = undef,
  Optional[String] $passenger_admin_panel_password                                    = undef,
  Optional[String] $passenger_dump_config_manifest                                    = undef,
  Optional[String] $add_default_charset                                               = undef,
  Boolean $modsec_disable_vhost                                                       = false,
  Optional[Variant[Hash, Array]] $modsec_disable_ids                                  = undef,
  Array[String[1]] $modsec_disable_ips                                                = [],
  Optional[Variant[Hash, Array]] $modsec_disable_msgs                                 = undef,
  Optional[Variant[Hash, Array]] $modsec_disable_tags                                 = undef,
  Optional[String] $modsec_body_limit                                                 = undef,
  Optional[Integer[1, default]] $modsec_inbound_anomaly_threshold                     = undef,
  Optional[Integer[1, default]] $modsec_outbound_anomaly_threshold                    = undef,
  Optional[String] $modsec_allowed_methods                                            = undef,
  Array[Hash] $jk_mounts                                                              = [],
  Boolean $auth_kerb                                                                  = false,
  Apache::OnOff $krb_method_negotiate                                                 = 'on',
  Apache::OnOff $krb_method_k5passwd                                                  = 'on',
  Apache::OnOff $krb_authoritative                                                    = 'on',
  Array[String] $krb_auth_realms                                                      = [],
  Optional[String] $krb_5keytab                                                       = undef,
  Optional[Apache::OnOff] $krb_local_user_mapping                                     = undef,
  Apache::OnOff $krb_verify_kdc                                                       = 'on',
  String $krb_servicename                                                             = 'HTTP',
  Apache::OnOff $krb_save_credentials                                                 = 'off',
  Optional[Apache::OnOff] $keepalive                                                  = undef,
  Optional[Variant[Integer, String]] $keepalive_timeout                               = undef,
  Optional[Variant[Integer, String]] $max_keepalive_requests                          = undef,
  Optional[String] $cas_attribute_prefix                                              = undef,
  Optional[String] $cas_attribute_delimiter                                           = undef,
  Optional[String] $cas_root_proxied_as                                               = undef,
  Boolean $cas_scrub_request_headers                                                  = false,
  Boolean $cas_sso_enabled                                                            = false,
  Optional[String] $cas_login_url                                                     = undef,
  Optional[String] $cas_validate_url                                                  = undef,
  Boolean $cas_validate_saml                                                          = false,
  Optional[String] $cas_cookie_path                                                   = undef,
  Optional[String] $shib_compat_valid_user                                            = undef,
  Optional[Variant[Apache::OnOff, Enum['DNS', 'dns']]] $use_canonical_name            = undef,
  Optional[Variant[String, Array[String]]] $comment                                   = undef,
  Hash $define                                                                        = {},
  Boolean $auth_oidc                                                                  = false,
  Apache::OIDCSettings $oidc_settings                                                 = {},
  Optional[Variant[Boolean, String]] $mdomain                                         = undef,
  Optional[Variant[String[1], Array[String[1]]]] $userdir                             = undef,
) {
  # The base class must be included first because it is used by parameter defaults
  if ! defined(Class['apache']) {
    fail('You must include the apache base class before using any apache defined resources')
  }

  $apache_name = $apache::apache_name

  # Input validation begins

  if $access_log_file and $access_log_pipe {
    fail("Apache::Vhost[${name}]: 'access_log_file' and 'access_log_pipe' cannot be defined at the same time")
  }

  if $error_log_file and $error_log_pipe {
    fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time")
  }

  if $modsec_audit_log_file and $modsec_audit_log_pipe {
    fail("Apache::Vhost[${name}]: 'modsec_audit_log_file' and 'modsec_audit_log_pipe' cannot be defined at the same time")
  }

  # Input validation ends

  if $ssl_honorcipherorder =~ Boolean or $ssl_honorcipherorder == undef {
    $_ssl_honorcipherorder = $ssl_honorcipherorder
  } else {
    $_ssl_honorcipherorder = $ssl_honorcipherorder ? {
      'on'    => true,
      'On'    => true,
      'off'   => false,
      'Off'   => false,
      default => true,
    }
  }

  # Configure the defaultness of a vhost
  if $priority {
    $priority_real = "${priority}-"
  } elsif $priority == false {
    $priority_real = ''
  } elsif $default_vhost {
    $priority_real = '10-'
  } else {
    $priority_real = '25-'
  }

  # https://httpd.apache.org/docs/2.4/fr/mod/core.html#servername
  # Syntax:	ServerName [scheme://]domain-name|ip-address[:port]
  # Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload
  # appliance.
  # When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName
  # directive to make sure that the server generates the correct self-referential URLs.
  $normalized_servername = regsubst($servername, '(https?:\/\/)?([a-z0-9\/%_+.,#?!@&=-]+)(:?\d+)?', '\2', 'G')

  # IAC-1186: A number of configuration and log file names are generated using the $name parameter. It is possible for
  # the $name parameter to contain spaces, which could then be transferred to the log / config filenames. Although
  # POSIX compliant, this can be cumbersome.
  #
  # It seems more appropriate to use the $servername parameter to derive default log / config filenames from. We should
  # also perform some sanitiation on the $servername parameter to strip spaces from it, as it defaults to the value of
  # $name, should $servername NOT be defined.
  #
  # Because a single hostname may be use by multiple virtual hosts listening on different ports, the $port paramter can
  # optionaly be used to avoid duplicate resources.
  $filename = $use_servername_for_filenames ? {
    true => $use_port_for_filenames ? {
      true  => regsubst("${normalized_servername}-${port}", ' ', '_', 'G'),
      false => regsubst($normalized_servername, ' ', '_', 'G'),
    },
    false => $name,
  }

  # This ensures that the docroot exists
  # But enables it to be specified across multiple vhost resources
  if $manage_docroot and $docroot and ! defined(File[$docroot]) {
    file { $docroot:
      ensure  => directory,
      owner   => $docroot_owner,
      group   => $docroot_group,
      mode    => $docroot_mode,
      require => Package['httpd'],
      before  => Concat["${priority_real}${filename}.conf"],
    }
  }

  # Same as above, but for logroot
  if ! defined(File[$logroot]) {
    file { $logroot:
      ensure  => $logroot_ensure,
      owner   => $logroot_owner,
      group   => $logroot_group,
      mode    => $logroot_mode,
      require => Package['httpd'],
      before  => Concat["${priority_real}${filename}.conf"],
      notify  => Class['Apache::Service'],
    }
  }

  # Is apache::mod::shib enabled (or apache::mod['shib2'])
  $shibboleth_enabled = defined(Apache::Mod['shib2'])

  # Is apache::mod::cas enabled (or apache::mod['cas'])
  $cas_enabled = defined(Apache::Mod['auth_cas'])

  if $access_log and !$access_logs {
    $_access_logs = [{
        'file'        => $access_log_file,
        'pipe'        => $access_log_pipe,
        'syslog'      => $access_log_syslog,
        'format'      => $access_log_format,
        'env'         => $access_log_env_var
    }]
  } elsif $access_logs {
    $_access_logs = $access_logs
  } else {
    $_access_logs = []
  }

  if $error_log_file {
    if $error_log_file =~ /^\// {
      # Absolute path provided - don't prepend $logroot
      $error_log_destination = $error_log_file
    } else {
      $error_log_destination = "${logroot}/${error_log_file}"
    }
  } elsif $error_log_pipe {
    $error_log_destination = $error_log_pipe
  } elsif $error_log_syslog {
    $error_log_destination = $error_log_syslog
  } else {
    if $ssl {
      $error_log_destination = "${logroot}/${filename}_error_ssl.log"
    } else {
      $error_log_destination = "${logroot}/${filename}_error.log"
    }
  }

  if $modsec_audit_log == false {
    $modsec_audit_log_destination = undef
  } elsif $modsec_audit_log_file {
    $modsec_audit_log_destination = "${logroot}/${modsec_audit_log_file}"
  } elsif $modsec_audit_log_pipe {
    $modsec_audit_log_destination = $modsec_audit_log_pipe
  } elsif $modsec_audit_log {
    if $ssl {
      $modsec_audit_log_destination = "${logroot}/${filename}_security_ssl.log"
    } else {
      $modsec_audit_log_destination = "${logroot}/${filename}_security.log"
    }
  } else {
    $modsec_audit_log_destination = undef
  }

  if $ip {
    $_ip = any2array(enclose_ipv6($ip))
    if $port {
      $_port = any2array($port)
      $listen_addr_port = split(inline_template("<%= @_ip.product(@_port).map {|x| x.join(':')  }.join(',')%>"), ',')
      $nvh_addr_port = split(inline_template("<%= @_ip.product(@_port).map {|x| x.join(':')  }.join(',')%>"), ',')
    } else {
      $listen_addr_port = undef
      $nvh_addr_port = $_ip
      if ! $servername and ! $ip_based {
        fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters for name-based vhosts")
      }
    }
  } else {
    if $port {
      $listen_addr_port = $port
      $nvh_addr_port = prefix(any2array($port), "${vhost_name}:")
    } else {
      $listen_addr_port = undef
      $nvh_addr_port = $name
      if ! $servername and $servername != '' {
        fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters, and/or 'servername' parameter")
      }
    }
  }

  if $add_listen {
    if $ip and defined(Apache::Listen[String($port)]) {
      fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this")
    }
    if $listen_addr_port and $ensure == 'present' {
      ensure_resource('apache::listen', $listen_addr_port)
    }
  }

  ## Create a default directory list if none defined
  if !empty($directories) {
    $_directories = $directories
  } elsif $docroot {
    $_directories = [
      {
        provider       => 'directory',
        path           => $docroot,
        options        => $options,
        allow_override => $override,
        directoryindex => $directoryindex,
        require        => 'all granted',
      },
    ]
  } else {
    $_directories = []
  }

  ## Create a global LocationMatch if locations aren't defined
  if $modsec_disable_ids {
    if $modsec_disable_ids =~ Array {
      $_modsec_disable_ids = { '.*' => $modsec_disable_ids }
    } else {
      $_modsec_disable_ids = $modsec_disable_ids
    }
  }

  if $modsec_disable_msgs {
    if $modsec_disable_msgs =~ Array {
      $_modsec_disable_msgs = { '.*' => $modsec_disable_msgs }
    } else {
      $_modsec_disable_msgs = $modsec_disable_msgs
    }
  }

  if $modsec_disable_tags {
    if $modsec_disable_tags =~ Array {
      $_modsec_disable_tags = { '.*' => $modsec_disable_tags }
    } else {
      $_modsec_disable_tags = $modsec_disable_tags
    }
  }

  concat { "${priority_real}${filename}.conf":
    ensure    => $ensure,
    path      => "${apache::vhost_dir}/${priority_real}${filename}.conf",
    owner     => 'root',
    group     => $apache::params::root_group,
    mode      => $apache::file_mode,
    show_diff => $show_diff,
    order     => 'numeric',
    require   => Package['httpd'],
    notify    => Class['apache::service'],
  }
  # NOTE(pabelanger): This code is duplicated in ::apache::vhost::custom and
  # needs to be converted into something generic.
  if $apache::vhost_enable_dir {
    $vhost_enable_dir = $apache::vhost_enable_dir
    $vhost_symlink_ensure = $ensure ? {
      'present' => link,
      default => $ensure,
    }
    file { "${priority_real}${filename}.conf symlink":
      ensure  => $vhost_symlink_ensure,
      path    => "${vhost_enable_dir}/${priority_real}${filename}.conf",
      target  => "${apache::vhost_dir}/${priority_real}${filename}.conf",
      owner   => 'root',
      group   => $apache::params::root_group,
      mode    => $apache::file_mode,
      require => Concat["${priority_real}${filename}.conf"],
      notify  => Class['apache::service'],
    }
  }

  $file_header_params = {
    'comment'               => $comment,
    'nvh_addr_port'         => $nvh_addr_port,
    'mdomain'               => $mdomain,
    'servername'            => $servername,
    'define'                => $define,
    'protocols'             => $protocols,
    'protocols_honor_order' => $protocols_honor_order,
    'limitreqfieldsize'     => $limitreqfieldsize,
    'limitreqfields'        => $limitreqfields,
    'limitreqline'          => $limitreqline,
    'limitreqbody'          => $limitreqbody,
    'serveradmin'           => $serveradmin,
  }

  concat::fragment { "${name}-apache-header":
    target  => "${priority_real}${filename}.conf",
    order   => 0,
    content => epp('apache/vhost/_file_header.epp', $file_header_params),
  }

  if $docroot and $ensure == 'present' {
    if $virtual_docroot {
      include apache::mod::vhost_alias
    }

    $docroot_params = {
      'virtual_docroot'             => $virtual_docroot,
      'docroot'                     => $docroot,
      'virtual_use_default_docroot' => $virtual_use_default_docroot,
    }

    concat::fragment { "${name}-docroot":
      target  => "${priority_real}${filename}.conf",
      order   => 10,
      content => epp('apache/vhost/_docroot.epp', $docroot_params),
    }
  }

  if ! empty($aliases) and $ensure == 'present' {
    include apache::mod::alias
    $aliases_params = {
      'aliases' => $aliases,
    }
    concat::fragment { "${name}-aliases":
      target  => "${priority_real}${filename}.conf",
      order   => 20,
      content => epp('apache/vhost/_aliases.epp', $aliases_params),
    }
  }

  if $itk and ! empty($itk) {
    $itk_params = {
      'itk'           => $itk,
      'kernelversion' => $facts['kernelversion'],
    }
    concat::fragment { "${name}-itk":
      target  => "${priority_real}${filename}.conf",
      order   => 30,
      content => epp('apache/vhost/_itk.epp', $itk_params),
    }
  }

  if $fallbackresource {
    $fall_back_res_params = {
      'fallbackresource' => $fallbackresource,
    }
    concat::fragment { "${name}-fallbackresource":
      target  => "${priority_real}${filename}.conf",
      order   => 40,
      content => epp('apache/vhost/_fallbackresource.epp', $fall_back_res_params),
    }
  }

  if $allow_encoded_slashes {
    $allow_encoded_slashes_params = {
      'allow_encoded_slashes' => $allow_encoded_slashes,
    }
    concat::fragment { "${name}-allow_encoded_slashes":
      target  => "${priority_real}${filename}.conf",
      order   => 50,
      content => epp('apache/vhost/_allow_encoded_slashes.epp', $allow_encoded_slashes_params),
    }
  }

  if $ensure == 'present' {
    $_directories.each |Hash $directory| {
      if 'auth_basic_authoritative' in $directory or 'auth_basic_fake' in $directory or 'auth_basic_provider' in $directory {
        include apache::mod::auth_basic
      }

      if 'auth_user_file' in $directory {
        include apache::mod::authn_file
      }

      if 'auth_group_file' in $directory {
        include apache::mod::authz_groupfile
      }

      if 'gssapi' in $directory {
        include apache::mod::auth_gssapi
      }

      if $directory['provider'] and $directory['provider'] =~ 'location' and ('proxy_pass' in $directory or 'proxy_pass_match' in $directory) {
        include apache::mod::proxy_http

        # To match processing in templates/vhost/_directories.erb
        if $directory['proxy_pass_match'] {
          Array($directory['proxy_pass_match']).each |$proxy| {
            if $proxy['url'] =~ /"h2c?:\/\// {
              include apache::mod::proxy_http2
            }
          }
        } elsif $directory['proxy_pass'] {
          Array($directory['proxy_pass']).each |$proxy| {
            if $proxy['url'] =~ /"h2c?:\/\// {
              include apache::mod::proxy_http2
            }
          }
        }
      }

      if 'request_headers' in $directory {
        include apache::mod::headers
      }

      if 'rewrites' in $directory {
        include apache::mod::rewrite
      }

      if 'setenv' in $directory {
        include apache::mod::env
      }
    }

    # Template uses:
    # - $_directories
    # - $docroot
    # - $shibboleth_enabled
    # - $cas_enabled
    unless empty($_directories) {
      concat::fragment { "${name}-directories":
        target  => "${priority_real}${filename}.conf",
        order   => 60,
        content => template('apache/vhost/_directories.erb'),
      }
    }
  }

  # Template uses:
  # - $additional_includes
  # - $use_optional_includes
  if $additional_includes and ! empty($additional_includes) {
    concat::fragment { "${name}-additional_includes":
      target  => "${priority_real}${filename}.conf",
      order   => 70,
      content => template('apache/vhost/_additional_includes.erb'),
    }
  }

  if $error_log or $log_level {
    $logging_params = {
      'error_log'             => $error_log,
      'log_level'             => $log_level,
      'error_log_destination' => $error_log_destination,
      'error_log_format'      => $error_log_format,
    }
    concat::fragment { "${name}-logging":
      target  => "${priority_real}${filename}.conf",
      order   => 80,
      content => epp('apache/vhost/_logging.epp', $logging_params),
    }
  }

  # Template uses no variables
  concat::fragment { "${name}-serversignature":
    target  => "${priority_real}${filename}.conf",
    order   => 90,
    content => "  ServerSignature Off\n",
  }

  # Template uses:
  # - $_access_logs
  # - $_access_log_env_var
  # - $access_log_destination
  # - $_access_log_format
  # - $_access_log_env_var
  if !empty($_access_logs) {
    concat::fragment { "${name}-access_log":
      target  => "${priority_real}${filename}.conf",
      order   => 100,
      content => template('apache/vhost/_access_log.erb'),
    }
  }

  if $action {
    concat::fragment { "${name}-action":
      target  => "${priority_real}${filename}.conf",
      order   => 110,
      content => epp('apache/vhost/_action.epp', { 'action' => $action }),
    }
  }

  # Template uses:
  # - $block
  if $block and ! empty($block) {
    concat::fragment { "${name}-block":
      target  => "${priority_real}${filename}.conf",
      order   => 120,
      content => template('apache/vhost/_block.erb'),
    }
  }

  # Template uses:
  # - $error_documents
  if $error_documents and ! empty($error_documents) {
    concat::fragment { "${name}-error_document":
      target  => "${priority_real}${filename}.conf",
      order   => 130,
      content => template('apache/vhost/_error_document.erb'),
    }
  }

  if ! empty($headers) and $ensure == 'present' {
    include apache::mod::headers

    concat::fragment { "${name}-header":
      target  => "${priority_real}${filename}.conf",
      order   => 140,
      content => epp('apache/vhost/_header.epp', { 'headers' => $headers }),
    }
  }

  if ! empty($request_headers) and $ensure == 'present' {
    include apache::mod::headers

    concat::fragment { "${name}-requestheader":
      target  => "${priority_real}${filename}.conf",
      order   => 150,
      content => epp('apache/vhost/_requestheader.epp', { 'request_headers' => $request_headers }),
    }
  }

  if $ssl_proxyengine {
    $ssl_proxy_params = {
      'ssl_proxyengine'              => $ssl_proxyengine,
      'ssl_proxy_verify'             => $ssl_proxy_verify,
      'ssl_proxy_verify_depth'       => $ssl_proxy_verify_depth,
      'ssl_proxy_ca_cert'            => $ssl_proxy_ca_cert,
      'ssl_proxy_check_peer_cn'      => $ssl_proxy_check_peer_cn,
      'ssl_proxy_check_peer_name'    => $ssl_proxy_check_peer_name,
      'ssl_proxy_check_peer_expire'  => $ssl_proxy_check_peer_expire,
      'ssl_proxy_machine_cert'       => $ssl_proxy_machine_cert,
      'ssl_proxy_machine_cert_chain' => $ssl_proxy_machine_cert_chain,
      'ssl_proxy_cipher_suite'       => $ssl_proxy_cipher_suite,
      'ssl_proxy_protocol'           => $ssl_proxy_protocol,
    }
    concat::fragment { "${name}-sslproxy":
      target  => "${priority_real}${filename}.conf",
      order   => 160,
      content => epp('apache/vhost/_sslproxy.epp', $ssl_proxy_params),
    }
  }

  if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match or $proxy_preserve_host or ($proxy_add_headers =~ NotUndef)) and $ensure == 'present' {
    include apache::mod::proxy_http

    # To match processing in templates/vhost/_proxy.erb
    if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] {
      include apache::mod::proxy_http2
    }
    [$proxy_pass, $proxy_pass_match].flatten.each |$proxy| {
      if $proxy and $proxy['url'] =~ Pattern[/^h2c?:\/\//] {
        include apache::mod::proxy_http2
      }
    }
    concat::fragment { "${name}-proxy":
      target  => "${priority_real}${filename}.conf",
      order   => 170,
      content => template('apache/vhost/_proxy.erb'),
    }
  }

  # Template uses:
  # - $redirect_source
  # - $redirect_dest
  # - $redirect_status
  # - $redirect_dest_a
  # - $redirect_source_a
  # - $redirect_status_a
  # - $redirectmatch_status
  # - $redirectmatch_regexp
  # - $redirectmatch_dest
  # - $redirectmatch_status_a
  # - $redirectmatch_regexp_a
  # - $redirectmatch_dest
  if (($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest)) and $ensure == 'present' {
    include apache::mod::alias

    concat::fragment { "${name}-redirect":
      target  => "${priority_real}${filename}.conf",
      order   => 180,
      content => template('apache/vhost/_redirect.erb'),
    }
  }

  # Template uses:
  # - $rewrites
  # - $rewrite_inherit
  # - $rewrite_base
  # - $rewrite_rule
  # - $rewrite_cond
  # - $rewrite_map
  if (! empty($rewrites) or $rewrite_rule or $rewrite_inherit) and $ensure == 'present' {
    include apache::mod::rewrite
    concat::fragment { "${name}-rewrite":
      target  => "${priority_real}${filename}.conf",
      order   => 190,
      content => template('apache/vhost/_rewrite.erb'),
    }
  }

  if $scriptalias and $ensure == 'present' {
    include apache::mod::alias
    concat::fragment { "${name}-scriptalias":
      target  => "${priority_real}${filename}.conf",
      order   => 200,
      content => epp('apache/vhost/_scriptalias.epp', { 'scriptalias' => $scriptalias }),
    }
  }

  if ! empty($serveraliases) and $ensure == 'present' {
    concat::fragment { "${name}-serveralias":
      target  => "${priority_real}${filename}.conf",
      order   => 210,
      content => epp('apache/vhost/_serveralias.epp', { 'serveraliases' => [$serveraliases].flatten }),
    }
  }

  # Template uses:
  # - $setenv
  # - $setenvif
  # - $setenvifnocase
  $use_env_mod = !empty($setenv)
  $use_setenvif_mod = !empty($setenvif) or !empty($setenvifnocase)
  if ($use_env_mod or $use_setenvif_mod) and $ensure == 'present' {
    if $use_env_mod {
      include apache::mod::env
    }
    if $use_setenvif_mod {
      include apache::mod::setenvif
    }

    concat::fragment { "${name}-setenv":
      target  => "${priority_real}${filename}.conf",
      order   => 220,
      content => template('apache/vhost/_setenv.erb'),
    }
  }

  # Template uses:
  # - $ssl
  # - $ssl_cert
  # - $ssl_key
  # - $ssl_chain
  # - $ssl_certs_dir
  # - $ssl_ca
  # - $ssl_crl_path
  # - $ssl_crl
  # - $ssl_crl_check
  # - $ssl_protocol
  # - $ssl_cipher
  # - $_ssl_honorcipherorder
  # - $ssl_verify_client
  # - $ssl_verify_depth
  # - $ssl_options
  # - $ssl_openssl_conf_cmd
  # - $ssl_stapling
  # - $mdomain
  if $ssl and $ensure == 'present' {
    include apache::mod::ssl
    concat::fragment { "${name}-ssl":
      target  => "${priority_real}${filename}.conf",
      order   => 230,
      content => template('apache/vhost/_ssl.erb'),
    }

    if $ssl_reload_on_change {
      [$ssl_cert, $ssl_key, $ssl_ca, $ssl_chain, $ssl_crl].each |$ssl_file| {
        if $ssl_file {
          include apache::mod::ssl::reload
          $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G')
          file { "${filename}${_ssl_file_copy}":
            path    => "${apache::params::puppet_ssl_dir}/${filename}${_ssl_file_copy}",
            source  => "file://${ssl_file}",
            owner   => 'root',
            group   => $apache::params::root_group,
            mode    => '0640',
            seltype => 'cert_t',
            notify  => Class['apache::service'],
          }
        }
      }
    }
  }

  if $auth_kerb and $ensure == 'present' {
    include apache::mod::auth_kerb

    concat::fragment { "${name}-auth_kerb":
      target  => "${priority_real}${filename}.conf",
      order   => 230,
      content => stdlib::deferrable_epp('apache/vhost/_auth_kerb.epp', {
          'auth_kerb'              => $auth_kerb,
          'krb_method_negotiate'   => $krb_method_negotiate,
          'krb_method_k5passwd'    => Deferred('sprintf', [$krb_method_k5passwd]),
          'krb_authoritative'      => $krb_authoritative,
          'krb_auth_realms'        => $krb_auth_realms,
          'krb_5keytab'            => $krb_5keytab,
          'krb_local_user_mapping' => $krb_local_user_mapping,
          'krb_verify_kdc'         => $krb_verify_kdc,
          'krb_servicename'        => $krb_servicename,
          'krb_save_credentials'   => $krb_save_credentials,
      }),
    }
  }

  # Template uses:
  # - $php_values
  # - $php_flags
  if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) {
    concat::fragment { "${name}-php":
      target  => "${priority_real}${filename}.conf",
      order   => 240,
      content => template('apache/vhost/_php.erb'),
    }
  }

  # Template uses:
  # - $php_admin_values
  # - $php_admin_flags
  if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) {
    concat::fragment { "${name}-php_admin":
      target  => "${priority_real}${filename}.conf",
      order   => 250,
      content => template('apache/vhost/_php_admin.erb'),
    }
  }

  if $wsgi_daemon_process_options {
    deprecation('apache::vhost::wsgi_daemon_process_options', 'This parameter is deprecated. Please add values inside Hash `wsgi_daemon_process`.')
  }
  if ($wsgi_application_group or $wsgi_daemon_process or ($wsgi_import_script and $wsgi_import_script_options) or $wsgi_process_group or ($wsgi_script_aliases and ! empty($wsgi_script_aliases)) or $wsgi_pass_authorization) and $ensure == 'present' {
    include apache::mod::wsgi
    $wsgi_params = {
      'wsgi_application_group' => $wsgi_application_group,
      'wsgi_daemon_process' => $wsgi_daemon_process,
      'wsgi_import_script' => $wsgi_import_script,
      'wsgi_process_group' => $wsgi_process_group,
      'wsgi_daemon_process_options'=> $wsgi_daemon_process_options,
      'wsgi_import_script_options' => $wsgi_import_script_options,
      'wsgi_script_aliases' => $wsgi_script_aliases,
      'wsgi_pass_authorization' => $wsgi_pass_authorization,
      'wsgi_chunked_request' => $wsgi_chunked_request,
      'wsgi_script_aliases_match' => $wsgi_script_aliases_match,
    }

    concat::fragment { "${name}-wsgi":
      target  => "${priority_real}${filename}.conf",
      order   => 260,
      content => epp('apache/vhost/_wsgi.epp', $wsgi_params),
    }
  }

  if $custom_fragment {
    $custom_fragment_params = {
      'custom_fragment' => $custom_fragment,
    }
    concat::fragment { "${name}-custom_fragment":
      target  => "${priority_real}${filename}.conf",
      order   => 270,
      content => epp('apache/vhost/_custom_fragment.epp', $custom_fragment_params),
    }
  }

  if $suexec_user_group and $ensure == 'present' {
    include apache::mod::suexec

    concat::fragment { "${name}-suexec":
      target  => "${priority_real}${filename}.conf",
      order   => 290,
      content => "  SuexecUserGroup ${suexec_user_group}\n",
    }
  }

  if ('h2' in $protocols or 'h2c' in $protocols or $h2_copy_files != undef or $h2_direct != undef or $h2_early_hints != undef or $h2_max_session_streams != undef or $h2_modern_tls_only != undef or $h2_push != undef or $h2_push_diary_size != undef or $h2_push_priority != [] or $h2_push_resource != [] or $h2_serialize_headers != undef or $h2_stream_max_mem_size != undef or $h2_tls_cool_down_secs != undef or $h2_tls_warm_up_size != undef or $h2_upgrade != undef or $h2_window_size != undef) and $ensure == 'present' {
    include apache::mod::http2
    $http2_params = {
      'h2_copy_files'          => $h2_copy_files,
      'h2_direct'              => $h2_direct,
      'h2_early_hints'         => $h2_early_hints,
      'h2_max_session_streams' => $h2_max_session_streams,
      'h2_modern_tls_only'     => $h2_modern_tls_only,
      'h2_push'                => $h2_push,
      'h2_push_diary_size'     => $h2_push_diary_size,
      'h2_push_priority'       => $h2_push_priority,
      'h2_push_resource'       => $h2_push_resource,
      'h2_serialize_headers'   => $h2_serialize_headers,
      'h2_stream_max_mem_size' => $h2_stream_max_mem_size,
      'h2_tls_cool_down_secs'  => $h2_tls_cool_down_secs,
      'h2_tls_warm_up_size'    => $h2_tls_warm_up_size,
      'h2_upgrade'             => $h2_upgrade,
      'h2_window_size'         => $h2_window_size,
    }

    concat::fragment { "${name}-http2":
      target  => "${priority_real}${filename}.conf",
      order   => 300,
      content => epp('apache/vhost/_http2.epp', $http2_params),
    }
  }

  if $mdomain and $ensure == 'present' {
    include apache::mod::md
  }

  if $userdir and $ensure == 'present' {
    include apache::mod::userdir

    concat::fragment { "${name}-userdir":
      target  => "${priority_real}${filename}.conf",
      order   => 300,
      content => epp('apache/vhost/_userdir.epp', { 'userdir' => $userdir }),
    }
  }

  if ($passenger_enabled != undef or $passenger_start_timeout != undef or $passenger_ruby != undef or $passenger_python != undef or $passenger_nodejs != undef or $passenger_meteor_app_settings != undef or $passenger_app_env != undef or $passenger_app_root != undef or $passenger_app_group_name != undef or $passenger_app_start_command != undef or $passenger_app_type != undef or$passenger_startup_file != undef or $passenger_restart_dir != undef or $passenger_spawn_method != undef or $passenger_load_shell_envvars != undef or $passenger_preload_bundler != undef or $passenger_rolling_restarts != undef or $passenger_resist_deployment_errors != undef or $passenger_min_instances != undef or $passenger_max_instances != undef or $passenger_max_preloader_idle_time != undef or $passenger_force_max_concurrent_requests_per_process != undef or $passenger_concurrency_model != undef or $passenger_thread_count != undef or $passenger_high_performance != undef or $passenger_max_request_queue_size != undef or $passenger_max_request_queue_time != undef or $passenger_user != undef or $passenger_group != undef or $passenger_friendly_error_pages != undef or $passenger_buffer_upload != undef or $passenger_buffer_response != undef or $passenger_allow_encoded_slashes != undef or $passenger_lve_min_uid != undef or $passenger_base_uri != undef or $passenger_error_override != undef or $passenger_sticky_sessions != undef or $passenger_sticky_sessions_cookie_name != undef or $passenger_sticky_sessions_cookie_attributes != undef or $passenger_app_log_file != undef or $passenger_debugger != undef or $passenger_max_requests != undef or $passenger_max_request_time != undef or $passenger_memory_limit != undef or $passenger_dump_config_manifest != undef) and $ensure == 'present' {
    include apache::mod::passenger
    $passenger_params = {
      'passenger_enabled'                                   => $passenger_enabled,
      'passenger_base_uri'                                  => $passenger_base_uri,
      'passenger_ruby'                                      => $passenger_ruby,
      'passenger_python'                                    => $passenger_python,
      'passenger_nodejs'                                    => $passenger_nodejs,
      'passenger_meteor_app_settings'                       => $passenger_meteor_app_settings,
      'passenger_app_env'                                   => $passenger_app_env,
      'passenger_app_root'                                  => $passenger_app_root,
      'passenger_app_group_name'                            => $passenger_app_group_name,
      'passenger_app_start_command'                         => $passenger_app_start_command,
      'passenger_app_type'                                  => $passenger_app_type,
      'passenger_startup_file'                              => $passenger_startup_file,
      'passenger_restart_dir'                               => $passenger_restart_dir,
      'passenger_spawn_method'                              => $passenger_spawn_method,
      'passenger_load_shell_envvars'                        => $passenger_load_shell_envvars,
      'passenger_preload_bundler'                           => $passenger_preload_bundler,
      'passenger_rolling_restarts'                          => $passenger_rolling_restarts,
      'passenger_resist_deployment_errors'                  => $passenger_resist_deployment_errors,
      'passenger_user'                                      => $passenger_user,
      'passenger_group'                                     => $passenger_group,
      'passenger_friendly_error_pages'                      => $passenger_friendly_error_pages,
      'passenger_min_instances'                             => $passenger_min_instances,
      'passenger_max_instances'                             => $passenger_max_instances,
      'passenger_max_preloader_idle_time'                   => $passenger_max_preloader_idle_time,
      'passenger_force_max_concurrent_requests_per_process' => $passenger_force_max_concurrent_requests_per_process,
      'passenger_start_timeout'                             => $passenger_start_timeout,
      'passenger_concurrency_model'                         => $passenger_concurrency_model,
      'passenger_thread_count'                              => $passenger_thread_count,
      'passenger_max_requests'                              => $passenger_max_requests,
      'passenger_max_request_time'                          => $passenger_max_request_time,
      'passenger_memory_limit'                              => $passenger_memory_limit,
      'passenger_stat_throttle_rate'                        => $passenger_stat_throttle_rate,
      'passenger_high_performance'                          => $passenger_high_performance,
      'passenger_buffer_upload'                             => $passenger_buffer_upload,
      'passenger_buffer_response'                           => $passenger_buffer_response,
      'passenger_error_override'                            => $passenger_error_override,
      'passenger_max_request_queue_size'                    => $passenger_max_request_queue_size,
      'passenger_max_request_queue_time'                    => $passenger_max_request_queue_time,
      'passenger_sticky_sessions'                           => $passenger_sticky_sessions,
      'passenger_sticky_sessions_cookie_name'               => $passenger_sticky_sessions_cookie_name,
      'passenger_sticky_sessions_cookie_attributes'         => $passenger_sticky_sessions_cookie_attributes,
      'passenger_allow_encoded_slashes'                     => $passenger_allow_encoded_slashes,
      'passenger_app_log_file'                              => $passenger_app_log_file,
      'passenger_debugger'                                  => $passenger_debugger,
      'passenger_lve_min_uid'                               => $passenger_lve_min_uid,
    }

    concat::fragment { "${name}-passenger":
      target  => "${priority_real}${filename}.conf",
      order   => 300,
      content => epp('apache/vhost/_passenger.epp', $passenger_params),
    }
  }

  if $add_default_charset {
    $charsets_params = {
      'add_default_charset' => $add_default_charset,
    }
    concat::fragment { "${name}-charsets":
      target  => "${priority_real}${filename}.conf",
      order   => 310,
      content => epp('apache/vhost/_charsets.epp', $charsets_params),
    }
  }

  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
    $security_params = {
      'modsec_disable_vhost'              => $modsec_disable_vhost,
      'modsec_audit_log_destination'      => $modsec_audit_log_destination,
      '_modsec_disable_ids'               => $modsec_disable_ids,
      'modsec_disable_ips'                => $modsec_disable_ips,
      '_modsec_disable_msgs'              => $modsec_disable_msgs,
      '_modsec_disable_tags'              => $modsec_disable_tags,
      'modsec_body_limit'                 => $modsec_body_limit,
      'modsec_inbound_anomaly_threshold'  => $modsec_inbound_anomaly_threshold,
      'modsec_outbound_anomaly_threshold' => $modsec_outbound_anomaly_threshold,
      'modsec_allowed_methods'            => $modsec_allowed_methods,
    }
    concat::fragment { "${name}-security":
      target  => "${priority_real}${filename}.conf",
      order   => 320,
      content => epp('apache/vhost/_security.epp', $security_params),
    }
  }

  if ! empty($filters) and $ensure == 'present' {
    include apache::mod::filter

    concat::fragment { "${name}-filters":
      target  => "${priority_real}${filename}.conf",
      order   => 330,
      content => epp('apache/vhost/_filters.epp', { 'filters' => $filters }),
    }
  }

  if !empty($jk_mounts) and $ensure == 'present' {
    include apache::mod::jk

    concat::fragment { "${name}-jk_mounts":
      target  => "${priority_real}${filename}.conf",
      order   => 340,
      content => epp('apache/vhost/_jk_mounts.epp', { 'jk_mounts' => $jk_mounts }),
    }
  }

  if $keepalive or $keepalive_timeout or $max_keepalive_requests {
    $keep_alive_params = {
      'keepalive' => $keepalive,
      'keepalive_timeout' => $keepalive_timeout,
      'max_keepalive_requests' => $max_keepalive_requests,
    }
    concat::fragment { "${name}-keepalive_options":
      target  => "${priority_real}${filename}.conf",
      order   => 350,
      content => epp('apache/vhost/_keepalive_options.epp', $keep_alive_params),
    }
  }

  if $cas_enabled {
    $auth_cas_params = {
      'cas_enabled'               => $cas_enabled,
      'cas_cookie_path'           => $cas_cookie_path,
      'cas_login_url'             => $cas_login_url,
      'cas_validate_url'          => $cas_validate_url,
      'cas_version'               => $apache::mod::auth_cas::cas_version,
      'cas_debug'                 => $apache::mod::auth_cas::cas_debug,
      'cas_certificate_path'      => $apache::mod::auth_cas::cas_certificate_path,
      'cas_proxy_validate_url'    => $apache::mod::auth_cas::cas_proxy_validate_url,
      'cas_validate_depth'        => $apache::mod::auth_cas::cas_validate_depth,
      'cas_root_proxied_as'       => $cas_root_proxied_as,
      'cas_cookie_entropy'        => $apache::mod::auth_cas::cas_cookie_entropy,
      'cas_timeout'               => $apache::mod::auth_cas::cas_timeout,
      'cas_idle_timeout'          => $apache::mod::auth_cas::cas_idle_timeout,
      'cas_cache_clean_interval'  => $apache::mod::auth_cas::cas_cache_clean_interval,
      'cas_cookie_domain'         => $apache::mod::auth_cas::cas_cookie_domain,
      'cas_cookie_http_only'      => $apache::mod::auth_cas::cas_cookie_http_only,
      'cas_authoritative'         => $apache::mod::auth_cas::cas_authoritative,
      'cas_sso_enabled'           => $cas_sso_enabled,
      'cas_validate_saml'         => $cas_validate_saml,
      'cas_attribute_prefix'      => $cas_attribute_prefix,
      'cas_attribute_delimiter'   => $cas_attribute_delimiter,
      'cas_scrub_request_headers' => $cas_scrub_request_headers,
    }
    concat::fragment { "${name}-auth_cas":
      target  => "${priority_real}${filename}.conf",
      order   => 350,
      content => epp('apache/vhost/_auth_cas.epp', $auth_cas_params),
    }
  }

  if $http_protocol_options {
    concat::fragment { "${name}-http_protocol_options":
      target  => "${priority_real}${filename}.conf",
      order   => 350,
      content => epp('apache/vhost/_http_protocol_options.epp', { 'http_protocol_options' => $http_protocol_options }),
    }
  }

  if $auth_oidc and $ensure == 'present' {
    include apache::mod::auth_openidc

    concat::fragment { "${name}-auth_oidc":
      target  => "${priority_real}${filename}.conf",
      order   => 360,
      content => stdlib::deferrable_epp('apache/vhost/_auth_oidc.epp', {
          'auth_oidc'     => $auth_oidc,
          'oidc_settings' => $oidc_settings,
      }),
    }
  }

  if $shibboleth_enabled {
    concat::fragment { "${name}-shibboleth":
      target  => "${priority_real}${filename}.conf",
      order   => 370,
      content => epp('apache/vhost/_shib.epp', { 'shib_compat_valid_user' => $shib_compat_valid_user }),
    }
  }

  if $use_canonical_name {
    concat::fragment { "${name}-use_canonical_name":
      target  => "${priority_real}${filename}.conf",
      order   => 360,
      content => "  UseCanonicalName ${use_canonical_name}\n",
    }
  }

  $file_footer_params = {
    'define'              => $define,
    'passenger_pre_start' => $passenger_pre_start,
  }
  concat::fragment { "${name}-file_footer":
    target  => "${priority_real}${filename}.conf",
    order   => 999,
    content => epp('apache/vhost/_file_footer.epp', $file_footer_params),
  }
}