Skip to content

Commit

Permalink
Add ability to set ssl-settings globally - fixes voxpupuli#670
Browse files Browse the repository at this point in the history
  • Loading branch information
TuningYourCode authored and François Boukhalfa committed May 31, 2020
1 parent 6831e15 commit 084b86a
Show file tree
Hide file tree
Showing 7 changed files with 265 additions and 14 deletions.
20 changes: 17 additions & 3 deletions manifests/config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,29 @@
$server_tokens = $nginx::server_tokens
$spdy = $nginx::spdy
$http2 = $nginx::http2
$ssl_buffer_size = $nginx::ssl_buffer_size
$ssl_ciphers = $nginx::ssl_ciphers
$ssl_crl = $nginx::ssl_crl
$ssl_dhparam = $nginx::ssl_dhparam
$ssl_ecdh_curve = $nginx::ssl_ecdh_curve
$ssl_session_cache = $nginx::ssl_session_cache
$ssl_session_timeout = $nginx::ssl_session_timeout
$ssl_session_tickets = $nginx::ssl_session_tickets
$ssl_session_ticket_key = $nginx::ssl_session_ticket_key
$ssl_stapling = $nginx::ssl_stapling
$ssl_stapling_file = $nginx::ssl_stapling_file
$ssl_stapling_responder = $nginx::ssl_stapling_responder
$ssl_stapling_verify = $nginx::ssl_stapling_verify
$ssl_trusted_certificate = $nginx::ssl_trusted_certificate
$ssl_password_file = $nginx::ssl_password_file
$ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers
$ssl_protocols = $nginx::ssl_protocols
$ssl_verify_depth = $nginx::ssl_verify_depth
$types_hash_bucket_size = $nginx::types_hash_bucket_size
$types_hash_max_size = $nginx::types_hash_max_size
$worker_connections = $nginx::worker_connections
$worker_processes = $nginx::worker_processes
$worker_rlimit_nofile = $nginx::worker_rlimit_nofile
$ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers
$ssl_protocols = $nginx::ssl_protocols
$ssl_ciphers = $nginx::ssl_ciphers
$include_modules_enabled = $nginx::include_modules_enabled

# Non-configurable settings
Expand Down
17 changes: 15 additions & 2 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@
Enum['on', 'off'] $spdy = 'off',
Enum['on', 'off'] $http2 = 'off',
Enum['on', 'off'] $ssl_stapling = 'off',
Enum['on', 'off'] $ssl_stapling_verify = 'off',
Stdlib::Absolutepath $snippets_dir = $nginx::params::snippets_dir,
Boolean $manage_snippets_dir = true,
$types_hash_bucket_size = '512',
Expand All @@ -161,9 +162,21 @@
Enum['on', 'off'] $ssl_prefer_server_ciphers = 'on',
Variant[Integer, Enum['auto']] $worker_processes = 'auto',
Integer $worker_rlimit_nofile = 1024,
$ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2',
$ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', # lint:ignore:140chars
String $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2',
String $ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', # lint:ignore:140chars
Optional[Stdlib::Unixpath] $ssl_dhparam = undef,
Optional[String] $ssl_ecdh_curve = undef,
String $ssl_session_cache = 'shared:SSL:10m',
String $ssl_session_timeout = '5m',
Optional[Enum['on', 'off']] $ssl_session_tickets = undef,
Optional[Stdlib::Absolutepath] $ssl_session_ticket_key = undef,
Optional[String] $ssl_buffer_size = undef,
Optional[Stdlib::Absolutepath] $ssl_crl = undef,
Optional[Stdlib::Absolutepath] $ssl_stapling_file = undef,
Optional[String] $ssl_stapling_responder = undef,
Optional[Stdlib::Absolutepath] $ssl_trusted_certificate = undef,
Optional[Integer] $ssl_verify_depth = undef,
Optional[Stdlib::Absolutepath] $ssl_password_file = undef,

### START Package Configuration ###
$package_ensure = present,
Expand Down
18 changes: 9 additions & 9 deletions manifests/resource/server.pp
Original file line number Diff line number Diff line change
Expand Up @@ -172,32 +172,32 @@
Optional[Variant[String, Boolean]] $ssl_cert = undef,
Optional[String] $ssl_client_cert = undef,
String $ssl_verify_client = 'on',
Optional[String] $ssl_dhparam = $nginx::ssl_dhparam,
Optional[String] $ssl_dhparam = undef,
Optional[String] $ssl_ecdh_curve = undef,
Boolean $ssl_redirect = false,
Optional[Integer] $ssl_redirect_port = undef,
Optional[Variant[String, Boolean]] $ssl_key = undef,
Integer $ssl_port = 443,
Enum['on', 'off'] $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers,
String $ssl_protocols = $nginx::ssl_protocols,
$ssl_buffer_size = undef,
String $ssl_ciphers = $nginx::ssl_ciphers,
String $ssl_cache = 'shared:SSL:10m',
Optional[Enum['on', 'off']] $ssl_prefer_server_ciphers = undef,
Optional[String] $ssl_protocols = undef,
Optional[String] $ssl_buffer_size = undef,
Optional[String] $ssl_ciphers = undef,
Optional[String] $ssl_cache = undef,
Optional[String] $ssl_crl = undef,
Boolean $ssl_stapling = false,
Optional[String] $ssl_stapling_file = undef,
Optional[String] $ssl_stapling_responder = undef,
Boolean $ssl_stapling_verify = false,
String $ssl_session_timeout = '5m',
Optional[String] $ssl_session_tickets = undef,
Optional[String] $ssl_session_timeout = undef,
Optional[Enum['on', 'off']] $ssl_session_tickets = undef,
Optional[String] $ssl_session_ticket_key = undef,
Optional[String] $ssl_trusted_cert = undef,
Optional[Integer] $ssl_verify_depth = undef,
Optional[Stdlib::Absolutepath] $ssl_password_file = undef,
Enum['on', 'off'] $spdy = $nginx::spdy,
Enum['on', 'off'] $http2 = $nginx::http2,
Optional[String] $proxy = undef,
Optional[String]$proxy_redirect = undef,
Optional[String] $proxy_redirect = undef,
String $proxy_read_timeout = $nginx::proxy_read_timeout,
String $proxy_send_timeout = $nginx::proxy_send_timeout,
$proxy_connect_timeout = $nginx::proxy_connect_timeout,
Expand Down
3 changes: 3 additions & 0 deletions spec/acceptance/nginx_server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ class { 'nginx': }
it { is_expected.to be_file }
it { is_expected.not_to contain 'ssl on;' } # As of nginx 1.15 (1.16 stable), this will not be set.
it { is_expected.to contain 'listen *:443 ssl;' }
it { is_expected.not_to contain 'shared:SSL:10m;' }
end

describe file('/etc/nginx/sites-enabled/www.puppetlabs.com.conf') do
Expand Down Expand Up @@ -119,6 +120,7 @@ class { 'nginx': }
nginx::resource::server { 'www.puppetlabs.com':
ensure => present,
ssl => true,
ssl_cache => 'shared:SSL:10m',
ssl_cert => '/etc/pki/tls/certs/crypted.cert',
ssl_key => '/etc/pki/tls/private/crypted.key',
ssl_password_file => '/etc/pki/tls/private/crypted.pass',
Expand All @@ -134,6 +136,7 @@ class { 'nginx': }

describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do
it { is_expected.to be_file }
it { is_expected.to contain 'ssl_session_cache shared:SSL:10m;' }
it { is_expected.to contain 'ssl_password_file /etc/pki/tls/private/crypted.pass;' }
end

Expand Down
156 changes: 156 additions & 0 deletions spec/classes/nginx_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -921,6 +921,162 @@
attr: 'proxy_busy_buffers_size',
value: '16k',
match: ' proxy_busy_buffers_size 16k;'
},
{
title: 'should set ssl_stapling_verify',
attr: 'ssl_stapling_verify',
value: 'on',
match: ' ssl_stapling_verify on;'
},
{
title: 'should set ssl_protocols',
attr: 'ssl_protocols',
value: 'TLSv1.2',
match: ' ssl_protocols TLSv1.2;'
},
{
title: 'should set ssl_ciphers',
attr: 'ssl_ciphers',
value: 'ECDHE-ECDSA-CHACHA20-POLY1305',
match: ' ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305;'
},
{
title: 'should set ssl_dhparam',
attr: 'ssl_dhparam',
value: '/path/to/dhparam',
match: ' ssl_dhparam /path/to/dhparam;'
},
{
title: 'should not set ssl_ecdh_curve',
attr: 'ssl_ecdh_curve',
value: :undef,
notmatch: 'ssl_ecdh_curve'
},
{
title: 'should set ssl_ecdh_curve',
attr: 'ssl_ecdh_curve',
value: 'prime256v1:secp384r1',
match: ' ssl_ecdh_curve prime256v1:secp384r1;'
},
{
title: 'should set ssl_session_cache',
attr: 'ssl_session_cache',
value: 'shared:SSL:10m',
match: ' ssl_session_cache shared:SSL:10m;'
},
{
title: 'should set ssl_session_timeout',
attr: 'ssl_session_timeout',
value: '5m',
match: ' ssl_session_timeout 5m;'
},
{
title: 'should not set ssl_session_tickets',
attr: 'ssl_session_tickets',
value: :undef,
notmatch: 'ssl_session_tickets'
},
{
title: 'should set ssl_session_tickets',
attr: 'ssl_session_tickets',
value: 'on',
match: ' ssl_session_tickets on;'
},
{
title: 'should not set ssl_session_ticket_key',
attr: 'ssl_session_ticket_key',
value: :undef,
notmatch: 'ssl_session_ticket_key'
},
{
title: 'should set ssl_session_ticket_key',
attr: 'ssl_session_ticket_key',
value: '/path/to/ticket_key',
match: ' ssl_session_ticket_key /path/to/ticket_key;'
},
{
title: 'should not set ssl_buffer_size',
attr: 'ssl_buffer_size',
value: :undef,
notmatch: 'ssl_buffer_size'
},
{
title: 'should set ssl_buffer_size',
attr: 'ssl_buffer_size',
value: '16k',
match: ' ssl_buffer_size 16k;'
},
{
title: 'should not set ssl_crl',
attr: 'ssl_crl',
value: :undef,
notmatch: 'ssl_crl'
},
{
title: 'should set ssl_crl',
attr: 'ssl_crl',
value: '/path/to/crl',
match: ' ssl_crl /path/to/crl;'
},
{
title: 'should not set ssl_stapling_file',
attr: 'ssl_stapling_file',
value: :undef,
notmatch: 'ssl_stapling_file'
},
{
title: 'should set ssl_stapling_file',
attr: 'ssl_stapling_file',
value: '/path/to/stapling_file',
match: ' ssl_stapling_file /path/to/stapling_file;'
},
{
title: 'should not set ssl_stapling_responder',
attr: 'ssl_stapling_responder',
value: :undef,
notmatch: 'ssl_stapling_responder'
},
{
title: 'should set ssl_stapling_responder',
attr: 'ssl_stapling_responder',
value: 'http://stapling.responder/',
match: ' ssl_stapling_responder http://stapling.responder/;'
},
{
title: 'should not set ssl_trusted_certificate',
attr: 'ssl_trusted_certificate',
value: :undef,
notmatch: 'ssl_trusted_certificate'
},
{
title: 'should set ssl_trusted_certificate',
attr: 'ssl_trusted_certificate',
value: '/path/to/trusted_cert',
match: ' ssl_trusted_certificate /path/to/trusted_cert;'
},
{
title: 'should not set ssl_verify_depth',
attr: 'ssl_verify_depth',
value: :undef,
notmatch: 'ssl_verify_depth'
},
{
title: 'should set ssl_verify_depth',
attr: 'ssl_verify_depth',
value: 5,
match: ' ssl_verify_depth 5;'
},
{
title: 'should not set ssl_password_file',
attr: 'ssl_password_file',
value: :undef,
notmatch: 'ssl_password_file'
},
{
title: 'should set ssl_password_file',
attr: 'ssl_password_file',
value: '/path/to/password_file',
match: ' ssl_password_file /path/to/password_file;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
Expand Down
55 changes: 55 additions & 0 deletions templates/conf.d/nginx.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,61 @@ http {
<% if @fastcgi_cache_use_stale -%>
fastcgi_cache_use_stale <%= @fastcgi_cache_use_stale %>;
<% end -%>

<% if @ssl_dhparam -%>
ssl_dhparam <%= @ssl_dhparam %>;
<% end -%>
<% if @ssl_ecdh_curve -%>
ssl_ecdh_curve <%= @ssl_ecdh_curve %>;
<% end -%>
<% if @ssl_session_cache -%>
ssl_session_cache <%= @ssl_session_cache %>;
<% end -%>
<% if @ssl_session_timeout -%>
ssl_session_timeout <%= @ssl_session_timeout %>;
<% end -%>
<% if @ssl_session_tickets -%>
ssl_session_tickets <%= @ssl_session_tickets %>;
<% end -%>
<% if @ssl_session_ticket_key -%>
ssl_session_ticket_key <%= @ssl_session_ticket_key %>;
<% end -%>
<% if @ssl_buffer_size -%>
ssl_buffer_size <%= @ssl_buffer_size %>;
<% end -%>
<% if @ssl_protocols -%>
ssl_protocols <%= @ssl_protocols %>;
<% end -%>
<% if @ssl_ciphers -%>
ssl_ciphers <%= @ssl_ciphers %>;
<% end -%>
<% if @ssl_prefer_server_ciphers -%>
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
<% end -%>
<% if @ssl_crl -%>
ssl_crl <%= @ssl_crl %>;
<% end -%>
<% if @ssl_stapling -%>
ssl_stapling <%= @ssl_stapling %>;
<% end -%>
<% if @ssl_stapling_file -%>
ssl_stapling_file <%= @ssl_stapling_file %>;
<% end -%>
<% if @ssl_stapling_responder -%>
ssl_stapling_responder <%= @ssl_stapling_responder %>;
<% end -%>
<% if @ssl_stapling_verify -%>
ssl_stapling_verify <%= @ssl_stapling_verify %>;
<% end -%>
<% if @ssl_trusted_certificate -%>
ssl_trusted_certificate <%= @ssl_trusted_certificate %>;
<% end -%>
<% if @ssl_verify_depth -%>
ssl_verify_depth <%= @ssl_verify_depth %>;
<% end -%>
<% if @ssl_password_file -%>
ssl_password_file <%= @ssl_password_file %>;
<% end -%>
<% if @http_cfg_append -%>

<%- field_width = @http_cfg_append.inject(0) { |l,(k,v)| k.size > l ? k.size : l } -%>
Expand Down
10 changes: 10 additions & 0 deletions templates/server/server_ssl_settings.erb
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,12 @@
<%- if defined? @ssl_ecdh_curve -%>
ssl_ecdh_curve <%= @ssl_ecdh_curve %>;
<%- end -%>
<% if @ssl_cache -%>
ssl_session_cache <%= @ssl_cache %>;
<% end -%>
<% if @ssl_session_timeout -%>
ssl_session_timeout <%= @ssl_session_timeout %>;
<% end -%>
<% if @ssl_session_tickets -%>
ssl_session_tickets <%= @ssl_session_tickets %>;
<% end -%>
Expand All @@ -28,9 +32,15 @@
<% if @ssl_buffer_size -%>
ssl_buffer_size <%= @ssl_buffer_size %>;
<% end -%>
<% if @ssl_protocols -%>
ssl_protocols <%= @ssl_protocols %>;
<% end -%>
<% if @ssl_ciphers -%>
ssl_ciphers <%= @ssl_ciphers %>;
<% end -%>
<% if @ssl_prefer_server_ciphers -%>
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
<% end -%>
<% if @ssl_crl -%>
ssl_crl <%= @ssl_crl %>;
<% end -%>
Expand Down

0 comments on commit 084b86a

Please sign in to comment.