From 3d752f80196b6cbf7faee4ddb3a1696f10eebe15 Mon Sep 17 00:00:00 2001 From: Matthew Haughton <3flex@users.noreply.github.com> Date: Tue, 14 Apr 2015 12:35:50 -0400 Subject: [PATCH 1/2] vhost: don't copy any SSL files --- manifests/resource/vhost.pp | 43 -------------------------- spec/defines/resource_vhost_spec.rb | 31 ++++++++++++++++--- templates/vhost/vhost_ssl_settings.erb | 12 +++---- 3 files changed, 32 insertions(+), 54 deletions(-) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 2f462a445..633948dd5 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -630,49 +630,6 @@ content => template('nginx/vhost/vhost_ssl_footer.erb'), order => '999', } - - #Generate ssl key/cert with provided file-locations - $cert = regsubst($name,' ','_', 'G') - - # Check if the file has been defined before creating the file to - # avoid the error when using wildcard cert on the multiple vhosts - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.crt", { - owner => $::nginx::config::daemon_user, - mode => '0444', - source => $ssl_cert, - }) - - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", { - owner => $::nginx::config::daemon_user, - mode => '0444', - source => $ssl_client_cert, - }) - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_key, - }) - if ($ssl_dhparam != undef) { - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.dh.pem", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_dhparam, - }) - } - if ($ssl_stapling_file != undef) { - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.ocsp.resp", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_stapling_file, - }) - } - if ($ssl_trusted_cert != undef) { - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.trusted.crt", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_trusted_cert, - }) - } } file{ "${name_sanitized}.conf symlink": diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb index 39d4327f0..52711cfb2 100644 --- a/spec/defines/resource_vhost_spec.rb +++ b/spec/defines/resource_vhost_spec.rb @@ -428,6 +428,30 @@ :value => false, :match => %r'\s+server_name\s+www.rspec.example.com;', }, + { + :title => 'should set the SSL client certificate file', + :attr => 'ssl_client_cert', + :value => '/tmp/client_certificate', + :match => %r'\s+ssl_client_certificate\s+/tmp/client_certificate;', + }, + { + :title => 'should set the SSL DH parameters file', + :attr => 'ssl_dhparam', + :value => '/tmp/dhparam', + :match => %r'\s+ssl_dhparam\s+/tmp/dhparam;', + }, + { + :title => 'should set the SSL stapling file', + :attr => 'ssl_stapling_file', + :value => '/tmp/stapling_file', + :match => %r'\s+ssl_stapling_file\s+/tmp/stapling_file;', + }, + { + :title => 'should set the SSL trusted certificate file', + :attr => 'ssl_trusted_cert', + :value => '/tmp/trusted_certificate', + :match => %r'\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;', + }, { :title => 'should set the SSL cache', :attr => 'ssl_cache', @@ -816,9 +840,9 @@ it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+dummy.cert;}) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+dummy.key;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") } - it { is_expected.to contain_file("/etc/nginx/#{title}.crt") } - it { is_expected.to contain_file("/etc/nginx/#{title}.key") } end context 'when ssl_client_cert is set' do @@ -835,9 +859,6 @@ it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) } - it { is_expected.to contain_file("/etc/nginx/#{title}.crt") } - it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") } - it { is_expected.to contain_file("/etc/nginx/#{title}.key") } end context 'when passenger_cgi_param is set' do let :params do default_params.merge({ diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb index 89240e63a..2cdd73b68 100644 --- a/templates/vhost/vhost_ssl_settings.erb +++ b/templates/vhost/vhost_ssl_settings.erb @@ -1,13 +1,13 @@ ssl on; - ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt; - ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key; + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; <% if defined? @ssl_client_cert -%> - ssl_client_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt; + ssl_client_certificate <%= @ssl_client_cert %>; ssl_verify_client on; <% end -%> <% if defined? @ssl_dhparam -%> - ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem; + ssl_dhparam <%= @ssl_dhparam %>; <% end -%> ssl_session_cache <%= @ssl_cache %>; ssl_session_timeout <%= @ssl_session_timeout %>; @@ -19,7 +19,7 @@ ssl_stapling on; <%- end -%> <%- if defined? @ssl_stapling_file -%> - ssl_stapling_file <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.ocsp.resp; + ssl_stapling_file <%= @ssl_stapling_file %>; <%- end -%> <%- if defined? @ssl_stapling_responder -%> ssl_stapling_responder <%= @ssl_stapling_responder %>; @@ -28,7 +28,7 @@ ssl_stapling_verify on; <%- end -%> <%- if defined? @ssl_trusted_cert -%> - ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt; + ssl_trusted_certificate <%= @ssl_trusted_cert %>; <%- end -%> <% end -%> From afe65f78ce6499e329bdbf7974c301ca774a90cf Mon Sep 17 00:00:00 2001 From: Matthew Haughton <3flex@users.noreply.github.com> Date: Tue, 14 Apr 2015 14:28:19 -0400 Subject: [PATCH 2/2] vhost: add ssl_crl parameter --- manifests/resource/vhost.pp | 5 +++++ spec/defines/resource_vhost_spec.rb | 6 ++++++ templates/vhost/vhost_ssl_settings.erb | 3 +++ 3 files changed, 14 insertions(+) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 633948dd5..d80de407e 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -46,6 +46,7 @@ # for SSL Support. This is not generated by this module. # [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference # for client verify SSL Support. This is not generated by this module. +# [*ssl_crl*] - String: Specifies CRL path in file system # [*ssl_dhparam*] - This directive specifies a file containing # Diffie-Hellman key agreement protocol cryptographic parameters, in PEM # format, utilized for exchanging session keys between server and client. @@ -178,6 +179,7 @@ $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', $ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', $ssl_cache = 'shared:SSL:10m', + $ssl_crl = undef, $ssl_stapling = false, $ssl_stapling_file = undef, $ssl_stapling_responder = undef, @@ -280,6 +282,9 @@ if ($ssl_client_cert != undef) { validate_string($ssl_client_cert) } + if ($ssl_crl != undef) { + validate_string($ssl_crl) + } validate_bool($ssl_listen_option) if ($ssl_dhparam != undef) { validate_string($ssl_dhparam) diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb index 52711cfb2..1d4353750 100644 --- a/spec/defines/resource_vhost_spec.rb +++ b/spec/defines/resource_vhost_spec.rb @@ -434,6 +434,12 @@ :value => '/tmp/client_certificate', :match => %r'\s+ssl_client_certificate\s+/tmp/client_certificate;', }, + { + :title => 'should set the SSL CRL file', + :attr => 'ssl_crl', + :value => '/tmp/crl', + :match => %r'\s+ssl_crl\s+/tmp/crl;', + }, { :title => 'should set the SSL DH parameters file', :attr => 'ssl_dhparam', diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb index 2cdd73b68..2d12c391e 100644 --- a/templates/vhost/vhost_ssl_settings.erb +++ b/templates/vhost/vhost_ssl_settings.erb @@ -14,6 +14,9 @@ ssl_protocols <%= @ssl_protocols %>; ssl_ciphers <%= @ssl_ciphers %>; ssl_prefer_server_ciphers on; +<% if @ssl_crl -%> + ssl_crl <%= @ssl_crl %>; +<% end -%> <%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%> <%- if @ssl_stapling -%> ssl_stapling on;