Skip to content

Commit

Permalink
Merge pull request #1067 from wyardley/issues_1032
Browse files Browse the repository at this point in the history
Make ssl_prefer_server_ciphers configurable in server / mailhost
  • Loading branch information
wyardley authored Apr 11, 2017
2 parents 818838d + 05f1c5d commit da99d72
Show file tree
Hide file tree
Showing 8 changed files with 197 additions and 231 deletions.
1 change: 1 addition & 0 deletions manifests/config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@
$worker_connections = $::nginx::worker_connections
$worker_processes = $::nginx::worker_processes
$worker_rlimit_nofile = $::nginx::worker_rlimit_nofile
$ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers
$ssl_protocols = $::nginx::ssl_protocols
$ssl_ciphers = $::nginx::ssl_ciphers

Expand Down
1 change: 1 addition & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@
Integer $worker_connections = 1024,
Variant[Integer, Enum['auto']] $worker_processes = 1,
Integer $worker_rlimit_nofile = 1024,
Enum['on', 'off'] $ssl_prefer_server_ciphers = 'on',
$ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2',
$ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',

Expand Down
99 changes: 51 additions & 48 deletions manifests/resource/mailhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -3,54 +3,56 @@
# This definition creates a virtual host
#
# Parameters:
# [*ensure*] - Enables or disables the specified mailhost (present|absent)
# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
# support exists on your system before enabling.
# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
# [*ssl_crl*] - String: Specifies CRL path in file system
# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
# format, utilized for exchanging session keys between server and client.
# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers.
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols
# [*ssl_session_cache*] - Sets the type and size of the session cache.
# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets.
# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
# Defaults to 5m.
# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
# certificates and OCSP responses if ssl_stapling is enabled.
# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain.
# [*starttls*] - Enable STARTTLS support: (on|off|only)
# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
# [*xclient*] - Whether to use xclient for smtp (on|off)
# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients.
# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
# [*imap_client_buffer*] - Sets the IMAP commands read buffer size.
# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients.
# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients.
# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server
# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server
# [*ensure*] - Enables or disables the specified mailhost (present|absent)
# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
# support exists on your system before enabling.
# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
# [*ssl_crl*] - String: Specifies CRL path in file system
# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
# format, utilized for exchanging session keys between server and client.
# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers.
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
# [*ssl_prefer_server_ciphers*] - Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols. Defaults
# to $nginx::ssl_prefer_server_ciphers.
# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols
# [*ssl_session_cache*] - Sets the type and size of the session cache.
# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets.
# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
# Defaults to 5m.
# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
# certificates and OCSP responses if ssl_stapling is enabled.
# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain.
# [*starttls*] - Enable STARTTLS support: (on|off|only)
# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
# [*xclient*] - Whether to use xclient for smtp (on|off)
# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients.
# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
# [*imap_client_buffer*] - Sets the IMAP commands read buffer size.
# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients.
# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients.
# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server
# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server
#
# Actions:
#
Expand Down Expand Up @@ -88,6 +90,7 @@
Optional[String] $ssl_key = undef,
Optional[String] $ssl_password_file = undef,
Optional[Integer] $ssl_port = undef,
Enum['on', 'off'] $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers,
String $ssl_protocols = $::nginx::ssl_protocols,
Optional[String] $ssl_session_cache = undef,
Optional[String] $ssl_session_ticket_key = undef,
Expand Down
Loading

0 comments on commit da99d72

Please sign in to comment.