dont deploy "ssl on" on nginx 1.15 or newer

manifests/init.pp

@@ -170,6 +170,7 @@
   $nginx_servers                                             = {},
   $nginx_servers_defaults                                    = {},
   Boolean $purge_passenger_repo                              = true,
+  Boolean $add_listen_directive                              = $nginx::params::add_listen_directive,
   ### END Hiera Lookups ###
 ) inherits nginx::params {
 

manifests/params.pp

@@ -121,5 +121,11 @@
   $sites_available_group = $_module_parameters['root_group']
   $sites_available_mode  = '0644'
   $super_user            = true
+  if fact('nginx_version') {
+    # enable only for releases that are older than 1.15.0
+    $add_listen_directive = versioncmp(fact('nginx_version'), '1.15.0') < 0
+  } else {
+    $add_listen_directive = true
+  }
   ### END Referenced Variables
 }

manifests/resource/server.pp

@@ -127,6 +127,7 @@
 #   [*error_pages*]                - Hash: setup errors pages, hash key is the http code and hash value the page
 #   [*locations*]                  - Hash of servers resources used by this server
 #   [*locations_defaults*]         - Hash of location default settings
+#   [*add_listen_directive*]       - Boolean to determine if we should add 'ssl on;' to the vhost or not. defaults to true for nginx 1.14 and older, otherwise false
 # Actions:
 #
 # Requires:
@@ -260,7 +261,8 @@
   String $maintenance_value                                                      = 'return 503',
   $error_pages                                                                   = undef,
   Hash $locations                                                                = {},
-  Hash $locations_defaults                                                       = {}
+  Hash $locations_defaults                                                       = {},
+  Boolean $add_listen_directive                                                  = $nginx::add_listen_directive,
 ) {
 
   if ! defined(Class['nginx']) {

spec/defines/resource_server_spec.rb

@@ -425,6 +425,49 @@
         end
 
         describe 'server_ssl_header template content' do
+          context 'without a value for the nginx_version fact do' do
+            let :facts do
+              facts[:nginx_version] ? facts.delete(:nginx_version) : facts
+            end
+            let :params do
+              default_params.merge(
+                ssl: true,
+                ssl_key: 'dummy.key',
+                ssl_cert: 'dummy.crt'
+              )
+            end
+
+            it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{  ssl on;}) }
+          end
+          context 'with fact nginx_version=1.14.1' do
+            let :facts do
+              facts.merge(nginx_version: '1.14.1')
+            end
+            let :params do
+              default_params.merge(
+                ssl: true,
+                ssl_key: 'dummy.key',
+                ssl_cert: 'dummy.crt'
+              )
+            end
+
+            it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{  ssl on;}) }
+          end
+
+          context 'with fact nginx_version=1.15.1' do
+            let :facts do
+              facts.merge(nginx_version: '1.15.1')
+            end
+            let :params do
+              default_params.merge(
+                ssl: true,
+                ssl_key: 'dummy.key',
+                ssl_cert: 'dummy.crt'
+              )
+            end
+
+            it { is_expected.not_to contain_concat__fragment("#{title}-ssl-header").with_content(%r{  ssl on;}) }
+          end
           [
             {
               title: 'should not contain www to non-www rewrite',

templates/server/server_ssl_settings.erb

@@ -1,5 +1,6 @@
+<% if @add_listen_directive -%>
   ssl on;
-
+<% end -%>
 <% if @ssl_cert -%>
   ssl_certificate           <%= @ssl_cert %>;
 <% end -%>