From 87a7b3d5d8804cb25e4a3fd90686f9261946e044 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Thu, 6 Apr 2017 17:10:40 -0700 Subject: [PATCH] Make ssl_prefer_server_ciphers configurable in server / mailhost resources (#1032). Default to 'on', vs. the nginx default of 'off' --- manifests/config.pp | 1 + manifests/init.pp | 1 + manifests/resource/mailhost.pp | 99 +++--- manifests/resource/server.pp | 299 ++++++++----------- spec/defines/resource_mailhost_spec.rb | 12 + spec/defines/resource_server_spec.rb | 12 + templates/mailhost/mailhost_ssl_settings.erb | 2 +- templates/server/server_ssl_settings.erb | 2 +- 8 files changed, 197 insertions(+), 231 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index d5b5f2fd1..b0e55758e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -110,6 +110,7 @@ $worker_connections = $::nginx::worker_connections $worker_processes = $::nginx::worker_processes $worker_rlimit_nofile = $::nginx::worker_rlimit_nofile + $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers $ssl_protocols = $::nginx::ssl_protocols $ssl_ciphers = $::nginx::ssl_ciphers diff --git a/manifests/init.pp b/manifests/init.pp index cccd1b7dd..6a762b398 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -130,6 +130,7 @@ Integer $worker_connections = 1024, Variant[Integer, Enum['auto']] $worker_processes = 1, Integer $worker_rlimit_nofile = 1024, + Enum['on', 'off'] $ssl_prefer_server_ciphers = 'on', $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', $ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp index a2ae3a000..7b66546f8 100644 --- a/manifests/resource/mailhost.pp +++ b/manifests/resource/mailhost.pp @@ -3,54 +3,56 @@ # This definition creates a virtual host # # Parameters: -# [*ensure*] - Enables or disables the specified mailhost (present|absent) -# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) -# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80 -# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. -# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 -# support exists on your system before enabling. -# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) -# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 -# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. -# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. -# [*index_files*] - Default index files for NGINX to read when traversing a directory -# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost. -# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. -# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers -# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module. -# [*ssl_crl*] - String: Specifies CRL path in file system -# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM -# format, utilized for exchanging session keys between server and client. -# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers. -# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. -# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys. -# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443 -# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols -# [*ssl_session_cache*] - Sets the type and size of the session cache. -# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets. -# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets. -# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache. -# Defaults to 5m. -# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client -# certificates and OCSP responses if ssl_stapling is enabled. -# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain. -# [*starttls*] - Enable STARTTLS support: (on|off|only) -# [*protocol*] - Mail protocol to use: (imap|pop3|smtp) -# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization. -# [*xclient*] - Whether to use xclient for smtp (on|off) -# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients. -# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command. -# [*imap_client_buffer*] - Sets the IMAP commands read buffer size. -# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients. -# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command. -# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients. -# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command. -# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client. -# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name]. -# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server -# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server +# [*ensure*] - Enables or disables the specified mailhost (present|absent) +# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) +# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80 +# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. +# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 +# support exists on your system before enabling. +# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) +# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 +# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. +# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. +# [*index_files*] - Default index files for NGINX to read when traversing a directory +# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost. +# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. +# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers +# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module. +# [*ssl_crl*] - String: Specifies CRL path in file system +# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM +# format, utilized for exchanging session keys between server and client. +# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers. +# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. +# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys. +# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443 +# [*ssl_prefer_server_ciphers*] - Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols. Defaults +# to $nginx::ssl_prefer_server_ciphers. +# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols +# [*ssl_session_cache*] - Sets the type and size of the session cache. +# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets. +# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets. +# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache. +# Defaults to 5m. +# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client +# certificates and OCSP responses if ssl_stapling is enabled. +# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain. +# [*starttls*] - Enable STARTTLS support: (on|off|only) +# [*protocol*] - Mail protocol to use: (imap|pop3|smtp) +# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization. +# [*xclient*] - Whether to use xclient for smtp (on|off) +# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients. +# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command. +# [*imap_client_buffer*] - Sets the IMAP commands read buffer size. +# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients. +# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command. +# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients. +# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command. +# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client. +# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name]. +# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one. +# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one. +# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server +# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server # # Actions: # @@ -88,6 +90,7 @@ Optional[String] $ssl_key = undef, Optional[String] $ssl_password_file = undef, Optional[Integer] $ssl_port = undef, + Enum['on', 'off'] $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers, String $ssl_protocols = $::nginx::ssl_protocols, Optional[String] $ssl_session_cache = undef, Optional[String] $ssl_session_ticket_key = undef, diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp index f8ab7e015..4a2c6d297 100644 --- a/manifests/resource/server.pp +++ b/manifests/resource/server.pp @@ -3,187 +3,123 @@ # This definition creates a virtual host # # Parameters: -# [*ensure*] - Enables or disables the specified server -# (present|absent) -# [*listen_ip*] - Default IP Address for NGINX to listen with this -# server on. Defaults to all interfaces (*) -# [*listen_port*] - Default IP Port for NGINX to listen with this -# server on. Defaults to TCP 80 -# [*listen_options*] - Extra options for listen directive like -# 'default_server' to catchall. Undef by default. -# [*listen_unix_socket_enable*] - BOOL value to enable/disable UNIX socket -# listening support (false|true). -# [*listen_unix_socket*] - Default unix socket for NGINX to listen with this -# server on. Defaults to UNIX /var/run/nginx.sock -# [*listen_unix_socket_options*] - Extra options for listen directive like -# 'default' to catchall. Undef by default. -# [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access. -# [*location_allow*] - Array: Locations to allow connections from. -# [*location_deny*] - Array: Locations to deny connections from. -# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support -# (false|true). Module will check to see if IPv6 support exists on your -# system before enabling. -# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with -# this server on. Defaults to all interfaces (::) -# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this -# server on. Defaults to TCP 80 -# [*ipv6_listen_options*] - Extra options for listen directive like 'default' -# to catchall. Template will allways add ipv6only=on. While issue -# jfryman/puppet-nginx#30 is discussed, default value is 'default'. -# [*add_header*] - Hash: Adds headers to the HTTP response when -# response code is equal to 200, 204, 301, 302 or 304. -# [*index_files*] - Default index files for NGINX to read when -# traversing a directory -# [*autoindex*] - Set it on 'on' or 'off 'to activate/deactivate -# autoindex directory listing. Undef by default. -# [*proxy*] - Proxy server(s) for the root location to connect -# to. Accepts a single value, can be used in conjunction with -# nginx::resource::upstream -# [*proxy_read_timeout*] - Override the default the proxy read timeout value -# of 90 seconds -# [*proxy_redirect*] - Override the default proxy_redirect value of off. -# [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed value. -# [*resolver*] - Array: Configures name servers used to resolve -# names of upstream servers into addresses. -# [*fastcgi*] - location of fastcgi (host:port) -# [*fastcgi_param*] - Set additional custom fastcgi_params -# [*fastcgi_params*] - optional alternative fastcgi_params file to use -# [*fastcgi_script*] - optional SCRIPT_FILE parameter -# [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout -# [*ssl*] - Indicates whether to setup SSL bindings for this -# server. -# [*ssl_cert*] - Pre-generated SSL Certificate file to reference -# for SSL Support. This is not generated by this module. Set to `false` to -# inherit from the http section, which improves performance by conserving -# memory. -# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference -# for client verify SSL Support. This is not generated by this module. -# [*ssl_verify_client*] - Enables verification of client certificates. -# [*ssl_crl*] - String: Specifies CRL path in file system -# [*ssl_dhparam*] - This directive specifies a file containing -# Diffie-Hellman key agreement protocol cryptographic parameters, in PEM -# format, utilized for exchanging session keys between server and client. -# [*ssl_redirect*] - Adds a server directive and return statement to -# force ssl redirect. Will honor ssl_port if it's set. -# [*ssl_redirect_port*] - Overrides $ssl_port in the SSL redirect set by -# ssl_redirect -# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL -# Support. This is not generated by this module. Set to `false` to inherit -# from the http section, which improves performance by conserving memory. -# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL -# server on. Defaults to TCP 443 -# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 -# TLSv1.2'. -# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data. -# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to -# nginx::config::ssl_ciphers -# [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP -# responses by the server. Defaults to false. -# [*ssl_stapling_file*] - String: When set, the stapled OCSP response -# will be taken from the specified file instead of querying the OCSP -# responder specified in the server certificate. -# [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP -# responder specified in the Authority Information Access certificate -# extension. -# [*ssl_stapling_verify*] - Bool: Enables or disables verification of -# OCSP responses by the server. Defaults to false. -# [*ssl_session_timeout*] - String: Specifies a time during which a client -# may reuse the session parameters stored in a cache. Defaults to 5m. -# [*ssl_session_tickets*] - String: Enables or disables session resumption -# through TLS session tickets. -# [*ssl_session_ticket_key*] - String: Sets a file with the secret key used -# to encrypt and decrypt TLS session tickets. -# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA -# certificates in the PEM format used to verify client certificates and -# OCSP responses if ssl_stapling is enabled. -# [*spdy*] - Toggles SPDY protocol. -# [*http2*] - Toggles HTTP/2 protocol. -# [*server_name*] - List of servernames for which this server will -# respond. Default [$name]. -# [*www_root*] - Specifies the location on disk for files to be -# read from. Cannot be set in conjunction with $proxy -# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to -# rewrite www.domain.com to domain.com in order to avoid duplicate -# content (SEO); -# [*try_files*] - Specifies the locations for files to be -# checked as an array. Cannot be used in conjuction with $proxy. -# [*proxy_cache*] - This directive sets name of zone for caching. -# The same zone can be used in multiple places. -# [*proxy_cache_key*] - Override the default proxy_cache_key of -# $scheme$proxy_host$request_uri -# [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value -# of off. -# [*proxy_cache_valid*] - This directive sets the time for caching -# different replies. -# [*proxy_method*] - If defined, overrides the HTTP method of the -# request to be passed to the backend. -# [*proxy_http_version*] - Sets the proxy http version -# [*proxy_set_body*] - If defined, sets the body passed to the backend. -# [*auth_basic*] - This directive includes testing name and -# password with HTTP Basic Authentication. -# [*auth_basic_user_file*] - This directive sets the htpasswd filename for -# the authentication realm. -# [*auth_request*] - This allows you to specify a custom auth endpoint -# [*client_max_body_size*] - This directive sets client_max_body_size. -# [*client_body_timeout*] - Sets how long the server will wait for a -# client body. Default is 60s -# [*client_header_timeout*] - Sets how long the server will wait for a -# client header. Default is 60s -# [*raw_prepend*] - A single string, or an array of strings to -# prepend to the server directive (after cfg prepend directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*raw_append*] - A single string, or an array of strings to -# append to the server directive (after cfg append directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*location_raw_prepend*] - A single string, or an array of strings -# to prepend to the location directive (after custom_cfg directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*location_raw_append*] - A single string, or an array of strings -# to append to the location directive (after custom_cfg directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*server_cfg_append*] - It expects a hash with custom directives to -# put after everything else inside server -# [*server_cfg_prepend*] - It expects a hash with custom directives to -# put before everything else inside server -# [*server_cfg_ssl_append*] - It expects a hash with custom directives to -# put after everything else inside server ssl -# [*server_cfg_ssl_prepend*] - It expects a hash with custom directives to -# put before everything else inside server ssl -# [*include_files*] - Adds include files to server -# [*access_log*] - Where to write access log (log format can be -# set with $format_log). This can be either a string or an array; in the -# latter case, multiple lines will be created. Additionally, unlike the -# earlier behavior, setting it to 'absent' in the server context will remove -# this directive entirely from the server stanza, rather than setting a -# default. Can also be disabled for this server with the string 'off'. -# [*error_log*] - Where to write error log. May add additional -# options like error level to the end. May set to 'absent', in which case -# it will be omitted in this server stanza (and default to nginx.conf setting) -# [*passenger_cgi_param*] - Allows one to define additional CGI environment -# variables to pass to the backend application -# [*passenger_set_header*] - Allows one to set headers to pass to the -# backend application (Passenger 5.0+) -# [*passenger_env_var*] - Allows one to set environemnt variables to pass -# to the backend application (Passenger 5.0+) -# [*passenger_pre_start*] - Allows setting a URL to pre-warm the host. Per -# Passenger docs, the "domain part of the URL" must match a value of -# server_name. If this is an array, multiple URLs can be specified. -# [*log_by_lua*] - Run the Lua source code inlined as the -# at the log request processing phase. -# This does not replace the current access logs, but runs after. -# [*log_by_lua_file*] - Equivalent to log_by_lua, except that the file -# specified by contains the Lua code, or, as from -# the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed. -# [*gzip_types*] - Defines gzip_types, nginx default is text/html -# [*owner*] - Defines owner of the .conf file -# [*group*] - Defines group of the .conf file -# [*mode*] - Defines mode of the .conf file -# [*maintenance*] - A boolean value to set a server in maintenance -# [*maintenance_value*] - Value to return when maintenance is on. -# Default to return 503 -# [*error_pages*] - Hash: setup errors pages, hash key is the http -# code and hash value the page -# [*locations*] - Hash of servers ressources used by this server +# [*ensure*] - Enables or disables the specified server (present|absent) +# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) +# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80 +# [*listen_options*] - Extra options for listen directive like 'default_server' to catchall. Undef by default. +# [*listen_unix_socket_enable*] - BOOL value to enable/disable UNIX socket listening support (false|true). +# [*listen_unix_socket*] - Default unix socket for NGINX to listen with this server on. Defaults to UNIX /var/run/nginx.sock +# [*listen_unix_socket_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. +# [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access. +# [*location_allow*] - Array: Locations to allow connections from. +# [*location_deny*] - Array: Locations to deny connections from. +# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 support +# exists on your system before enabling. +# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) +# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 +# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. +# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. +# [*add_header*] - Hash: Adds headers to the HTTP response when response code is equal to 200, 204, 301, 302 or 304. +# [*index_files*] - Default index files for NGINX to read when traversing a directory +# [*autoindex*] - Set it on 'on' or 'off 'to activate/deactivate autoindex directory listing. Undef by default. +# [*proxy*] - Proxy server(s) for the root location to connect to. Accepts a single value, can be used in +# conjunction with nginx::resource::upstream +# [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds +# [*proxy_redirect*] - Override the default proxy_redirect value of off. +# [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed value. +# [*resolver*] - Array: Configures name servers used to resolve names of upstream servers into addresses. +# [*fastcgi*] - location of fastcgi (host:port) +# [*fastcgi_param*] - Set additional custom fastcgi_params +# [*fastcgi_params*] - optional alternative fastcgi_params file to use +# [*fastcgi_script*] - optional SCRIPT_FILE parameter +# [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout +# [*ssl*] - Indicates whether to setup SSL bindings for this server. +# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. +# Set to `false` to inherit from the http section, which improves performance by conserving memory. +# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by +# this module. +# [*ssl_verify_client*] - Enables verification of client certificates. +# [*ssl_crl*] - String: Specifies CRL path in file system +# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic +# parameters, in PEM format, utilized for exchanging session keys between server and client. +# [*ssl_prefer_server_ciphers*] - String: Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and +# TLS protocols. Defaults to nginx::ssl_prefer_server_ciphers. +# [*ssl_redirect*] - Adds a server directive and return statement to force ssl redirect. Will honor ssl_port if it's set. +# [*ssl_redirect_port*] - Overrides $ssl_port in the SSL redirect set by ssl_redirect +# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. Set to +# `false` to inherit from the http section, which improves performance by conserving memory. +# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443 +# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 TLSv1.2'. +# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data. +# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to nginx::ssl_ciphers +# [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP responses by the server. Defaults to false. +# [*ssl_stapling_file*] - String: When set, the stapled OCSP response will be taken from the specified file instead of querying +# the OCSP responder specified in the server certificate. +# [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP responder specified in the Authority Information Access +# certificate extension. +# [*ssl_stapling_verify*] - Bool: Enables or disables verification of OCSP responses by the server. Defaults to false. +# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache. +# Defaults to 5m. +# [*ssl_session_tickets*] - String: Enables or disables session resumption through TLS session tickets. +# [*ssl_session_ticket_key*] - String: Sets a file with the secret key used to encrypt and decrypt TLS session tickets. +# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client +# certificates and OCSP responses if ssl_stapling is enabled. +# [*spdy*] - Toggles SPDY protocol. +# [*http2*] - Toggles HTTP/2 protocol. +# [*server_name*] - List of servernames for which this server will respond. Default [$name]. +# [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy +# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to rewrite www.domain.com to domain.com in order to avoid +# duplicate content (SEO); +# [*try_files*] - Specifies the locations for files to be checked as an array. Cannot be used in conjuction with $proxy. +# [*proxy_cache*] - This directive sets name of zone for caching. The same zone can be used in multiple places. +# [*proxy_cache_key*] - Override the default proxy_cache_key of $scheme$proxy_host$request_uri +# [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value of off. +# [*proxy_cache_valid*] - This directive sets the time for caching different replies. +# [*proxy_method*] - If defined, overrides the HTTP method of the request to be passed to the backend. +# [*proxy_http_version*] - Sets the proxy http version +# [*proxy_set_body*] - If defined, sets the body passed to the backend. +# [*auth_basic*] - This directive includes testing name and password with HTTP Basic Authentication. +# [*auth_basic_user_file*] - This directive sets the htpasswd filename for the authentication realm. +# [*auth_request*] - This allows you to specify a custom auth endpoint +# [*client_max_body_size*] - This directive sets client_max_body_size. +# [*client_body_timeout*] - Sets how long the server will wait for a client body. Default is 60s +# [*client_header_timeout*] - Sets how long the server will wait for a client header. Default is 60s +# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after cfg prepend +# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. +# [*raw_append*] - A single string, or an array of strings to append to the server directive (after cfg append +# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. +# [*location_raw_prepend*] - A single string, or an array of strings to prepend to the location directive (after custom_cfg +# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. +# [*location_raw_append*] - A single string, or an array of strings to append to the location directive (after custom_cfg +# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. +# [*server_cfg_append*] - It expects a hash with custom directives to put after everything else inside server +# [*server_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server +# [*server_cfg_ssl_append*] - It expects a hash with custom directives to put after everything else inside server ssl +# [*server_cfg_ssl_prepend*] - It expects a hash with custom directives to put before everything else inside server ssl +# [*include_files*] - Adds include files to server +# [*access_log*] - Where to write access log (log format can be set with $format_log). This can be either a string or an +# array; in the latter case, multiple lines will be created. Additionally, unlike the earlier behavior, setting it to 'absent' in the +# server context will remove this directive entirely from the server stanza, rather than setting a default. Can also be disabled for +# this server with the string 'off'. +# [*error_log*] - Where to write error log. May add additional options like error level to the end. May set to 'absent', +# in which case it will be omitted in this server stanza (and default to nginx.conf setting) +# [*passenger_cgi_param*] - Allows one to define additional CGI environment variables to pass to the backend application +# [*passenger_set_header*] - Allows one to set headers to pass to the backend application (Passenger 5.0+) +# [*passenger_env_var*] - Allows one to set environemnt variables to pass to the backend application (Passenger 5.0+) +# [*passenger_pre_start*] - Allows setting a URL to pre-warm the host. Per Passenger docs, the "domain part of the URL" must match +# a value of server_name. If this is an array, multiple URLs can be specified. +# [*log_by_lua*] - Run the Lua source code inlined as the at the log request processing phase. This does +# not replace the current access logs, but runs after. +# [*log_by_lua_file*] - Equivalent to log_by_lua, except that the file specified by contains the Lua +# code, or, as from the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed. +# [*gzip_types*] - Defines gzip_types, nginx default is text/html +# [*owner*] - Defines owner of the .conf file +# [*group*] - Defines group of the .conf file +# [*mode*] - Defines mode of the .conf file +# [*maintenance*] - A boolean value to set a server in maintenance +# [*maintenance_value*] - Value to return when maintenance is on. Default to return 503 +# [*error_pages*] - Hash: setup errors pages, hash key is the http code and hash value the page +# [*locations*] - Hash of servers resources used by this server # Actions: # # Requires: @@ -222,6 +158,7 @@ Optional[Integer] $ssl_redirect_port = undef, Optional[Variant[String, Boolean]] $ssl_key = undef, Integer $ssl_port = 443, + Enum['on', 'off'] $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers, String $ssl_protocols = $::nginx::ssl_protocols, $ssl_buffer_size = undef, String $ssl_ciphers = $::nginx::ssl_ciphers, diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index 52cb9ee2e..1c8bc2103 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -357,6 +357,18 @@ value: 'ECDHE-ECDSA-CHACHA20-POLY1305', match: ' ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305;' }, + { + title: 'should set ssl_prefer_server_ciphers to on', + attr: 'ssl_prefer_server_ciphers', + value: 'on', + match: ' ssl_prefer_server_ciphers on;' + }, + { + title: 'should set ssl_prefer_server_ciphers to off', + attr: 'ssl_prefer_server_ciphers', + value: 'off', + match: ' ssl_prefer_server_ciphers off;' + }, { title: 'should set ssl_client_certificate', attr: 'ssl_client_cert', diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb index de588f14a..5c55722a7 100644 --- a/spec/defines/resource_server_spec.rb +++ b/spec/defines/resource_server_spec.rb @@ -576,6 +576,18 @@ value: 'HIGH', match: %r{\s+ssl_ciphers\s+HIGH;} }, + { + title: 'should set ssl_prefer_server_ciphers on', + attr: 'ssl_prefer_server_ciphers', + value: 'on', + match: %r{\s+ssl_prefer_server_ciphers\s+on;} + }, + { + title: 'should set ssl_prefer_server_ciphers off', + attr: 'ssl_prefer_server_ciphers', + value: 'off', + match: %r{\s+ssl_prefer_server_ciphers\s+off;} + }, { title: 'should set auth_basic', attr: 'auth_basic', diff --git a/templates/mailhost/mailhost_ssl_settings.erb b/templates/mailhost/mailhost_ssl_settings.erb index ef8e7500d..551ed597f 100644 --- a/templates/mailhost/mailhost_ssl_settings.erb +++ b/templates/mailhost/mailhost_ssl_settings.erb @@ -21,7 +21,7 @@ <%- if defined? @ssl_password_file -%> ssl_password_file <%= @ssl_password_file %>; <%- end -%> - ssl_prefer_server_ciphers on; + ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; ssl_protocols <%= @ssl_protocols %>; <% if defined? @ssl_session_cache -%> ssl_session_cache <%= @ssl_session_cache %>; diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb index 1229edaa7..f46cde249 100644 --- a/templates/server/server_ssl_settings.erb +++ b/templates/server/server_ssl_settings.erb @@ -26,7 +26,7 @@ <% end -%> ssl_protocols <%= @ssl_protocols %>; ssl_ciphers <%= @ssl_ciphers %>; - ssl_prefer_server_ciphers on; + ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; <% if @ssl_crl -%> ssl_crl <%= @ssl_crl %>; <% end -%>