Merge pull request #213 from hdanes/ssl_stapling

Added support for SSL stapling of OCSP responses.
voxpupuli · Dec 30, 2013 · bf5b067 · bf5b067
2 parents d5ecd53 + d0c3168
commit bf5b067
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 4 deletions.
diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
@@ -34,6 +34,8 @@
 #     nginx::resource::upstream
 #   [*proxy_read_timeout*]  - Override the default the proxy read timeout value
 #     of 90 seconds
+#   [*resolver*]            - String: Configures name servers used to resolve
+#     names of upstream servers into addresses.
 #   [*fastcgi*]             - location of fastcgi (host:port)
 #   [*fastcgi_params*]      - optional alternative fastcgi_params file to use
 #   [*fastcgi_script*]      - optional SCRIPT_FILE parameter
@@ -49,6 +51,19 @@
 #     TLSv1.1 TLSv1.2'.
 #   [*ssl_ciphers*]         - SSL ciphers enabled. Defaults to
 #     'HIGH:!aNULL:!MD5'.
+#   [*ssl_stapling*]        - Bool: Enables or disables stapling of OCSP
+#     responses by the server. Defaults to false.
+#   [*ssl_stapling_file*]   - String: When set, the stapled OCSP response
+#     will be taken from the specified file instead of querying the OCSP
+#     responder specified in the server certificate.
+#   [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP
+#     responder specified in the ÒAuthority Information AccessÓ certificate
+#     extension.
+#   [*ssl_stapling_verify*] - Bool: Enables or disables verification of
+#     OCSP responses by the server. Defaults to false.
+#   [*ssl_trusted_cert*]    - String: Specifies a file with trusted CA
+#     certificates in the PEM format used to verify client certificates and
+#     OCSP responses if ssl_stapling is enabled.
 #   [*spdy*]                - Toggles SPDY protocol.
 #   [*server_name*]         - List of vhostnames for which this vhost will
 #     respond. Default [$name].
@@ -114,6 +129,11 @@
   $ssl_protocols          = 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
   $ssl_ciphers            = 'HIGH:!aNULL:!MD5',
   $ssl_cache              = 'shared:SSL:10m',
+  $ssl_stapling           = false,
+  $ssl_stapling_file      = undef,
+  $ssl_stapling_responder = undef,
+  $ssl_stapling_verify    = false,
+  $ssl_trusted_cert       = undef,
   $spdy                   = $nginx::params::nx_spdy,
   $proxy                  = undef,
   $proxy_read_timeout     = $nginx::params::nx_proxy_read_timeout,
@@ -122,6 +142,7 @@
   $proxy_cache_valid      = false,
   $proxy_method           = undef,
   $proxy_set_body         = undef,
+  $resolver               = undef,
   $fastcgi                = undef,
   $fastcgi_params         = '/etc/nginx/fastcgi_params',
   $fastcgi_script         = undef,
@@ -157,6 +178,20 @@
   if ($add_header != undef) {
     validate_hash($add_header)
   }
+  if ($resolver != undef) {
+    validate_string($resolver)
+  }
+  validate_bool($ssl_stapling)
+  if ($ssl_stapling_file != undef) {
+    validate_string($ssl_stapling_file)
+  }
+  if ($ssl_stapling_responder != undef) {
+    validate_string($ssl_stapling_responder)
+  }
+  validate_bool($ssl_stapling_verify)
+  if ($ssl_trusted_cert != undef) {
+    validate_string($ssl_trusted_cert)
+  }
 
   # Variables
   $vhost_dir = "${nginx::config::nx_conf_dir}/sites-available"
@@ -319,6 +354,20 @@
       mode   => '0440',
       source => $ssl_key,
     })
+    if ($ssl_stapling_file != undef) {
+      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
+        owner  => $nginx::params::nx_daemon_user,
+        mode   => '0440',
+        source => $ssl_stapling_file,
+      })
+    }
+    if ($ssl_trusted_cert != undef) {
+      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", {
+        owner  => $nginx::params::nx_daemon_user,
+        mode   => '0440',
+        source => $ssl_trusted_cert,
+      })
+    }
   }
 
   file{ "${name_sanitized}.conf symlink":
@@ -328,4 +377,4 @@
     require => Concat[$config_file],
     notify  => Service['nginx'],
   }
-}
+}
diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb
@@ -14,6 +14,24 @@ server {
   ssl_protocols             <%= @ssl_protocols %>;
   ssl_ciphers               <%= @ssl_ciphers %>;
   ssl_prefer_server_ciphers on;
+<% if @ssl_stapling -%>
+  ssl_stapling              on;
+<% end -%>
+<% if defined? @ssl_stapling_file -%>
+  ssl_stapling_file         <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.ocsp.resp;
+<% end -%>
+<% if defined? @ssl_stapling_responder -%>
+  ssl_stapling_responder    <%= @ssl_stapling_responder %>;
+<% end -%>
+<% if @ssl_stapling_verify -%>
+  ssl_stapling_verify       on;
+<% end -%>
+<% if defined? @ssl_trusted_cert -%>
+  ssl_trusted_certificate   <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt;
+<% end -%>
+<% if defined? @resolver -%>
+  resolver                  <%= @resolver %>;
+<% end -%>
 <% if defined? @auth_basic -%>
   auth_basic                "<%= @auth_basic %>";
 <% end -%>
@@ -38,6 +56,4 @@ server {
 <% end -%>
 <% if @add_header -%><% @add_header.each do |key,value| -%>
   add_header              <%= key %> <%= value %>;
-<% end -%><% end -%>
-
-
+<% end -%><% end -%>