Merge pull request #212 from hdanes/ssl_dhparam

Add support for Diffie-Hellman (SSL) parameters in VHOST resource.
voxpupuli · Dec 30, 2013 · 2b19293 · 2b19293
2 parents 9647509 + 1d90dac
commit 2b19293
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
@@ -43,6 +43,9 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_dhparam*]         - This directive specifies a file containing
+#     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+#     format, utilized for exchanging session keys between server and client. 
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL
 #     Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL
@@ -124,6 +127,7 @@
   $add_header             = undef,
   $ssl                    = false,
   $ssl_cert               = undef,
+  $ssl_dhparam            = undef,
   $ssl_key                = undef,
   $ssl_port               = '443',
   $ssl_protocols          = 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
@@ -178,6 +182,9 @@
   if ($add_header != undef) {
     validate_hash($add_header)
   }
+  if ($ssl_dhparam != undef) {
+    validate_string($ssl_dhparam)
+  }
   if ($resolver != undef) {
     validate_string($resolver)
   }
@@ -354,6 +361,13 @@
       mode   => '0440',
       source => $ssl_key,
     })
+    if ($ssl_dhparam != undef) {
+      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
+        owner  => $nginx::params::nx_daemon_user,
+        mode   => '0440',
+        source => $ssl_dhparam,
+      })
+    }
     if ($ssl_stapling_file != undef) {
       ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
         owner  => $nginx::params::nx_daemon_user,
@@ -377,4 +391,4 @@
     require => Concat[$config_file],
     notify  => Service['nginx'],
   }
-}
+}
diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb
@@ -9,6 +9,9 @@ server {
 
   ssl_certificate           <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
   ssl_certificate_key       <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_dhparam -%>
+  ssl_dhparam               <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
+<% end -%>
   ssl_session_cache         <%= @ssl_cache %>;
   ssl_session_timeout       5m;
   ssl_protocols             <%= @ssl_protocols %>;