From e4c3ff7d712efa6d9634d9284b13ddf4434ebd9b Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Mon, 27 Oct 2014 11:35:41 +0300 Subject: [PATCH 01/13] Adding SSL CRL support --- manifests/resource/vhost.pp | 5 +++++ templates/vhost/vhost_ssl_header.erb | 3 +++ 2 files changed, 8 insertions(+) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 44917133d..de713b33b 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -70,6 +70,7 @@ # [*ssl_trusted_cert*] - String: Specifies a file with trusted CA # certificates in the PEM format used to verify client certificates and # OCSP responses if ssl_stapling is enabled. +# [*ssl_crl*] - String: Specifies CRL path in file system # [*spdy*] - Toggles SPDY protocol. # [*server_name*] - List of vhostnames for which this vhost will # respond. Default [$name]. @@ -174,6 +175,7 @@ $ssl_stapling_verify = false, $ssl_session_timeout = '5m', $ssl_trusted_cert = undef, + $ssl_crl = undef, $spdy = $nginx::config::spdy, $proxy = undef, $proxy_redirect = undef, @@ -282,6 +284,9 @@ if ($ssl_trusted_cert != undef) { validate_string($ssl_trusted_cert) } + if ($ssl_crl != undef) { + validate_string($ssl_crl) + } validate_string($spdy) if ($proxy != undef) { validate_string($proxy) diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb index 41e348eac..6636f48f6 100644 --- a/templates/vhost/vhost_ssl_header.erb +++ b/templates/vhost/vhost_ssl_header.erb @@ -41,6 +41,9 @@ server { <%- if defined? @ssl_trusted_cert -%> ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt; <%- end -%> + <%- if defined? @ssl_crl -%> + ssl_crl <%= @ssl_crl %> + <%- end -%> <% end -%> <% if Array(@resolver).count > 0 -%> From 44e3b7b78197f943e539bccd09e824e79b278a15 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 03:07:40 +0300 Subject: [PATCH 02/13] Fix for ssl_crl in template --- templates/vhost/vhost_ssl_header.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb index 6636f48f6..b45c76a0d 100644 --- a/templates/vhost/vhost_ssl_header.erb +++ b/templates/vhost/vhost_ssl_header.erb @@ -42,7 +42,7 @@ server { ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt; <%- end -%> <%- if defined? @ssl_crl -%> - ssl_crl <%= @ssl_crl %> + ssl_crl <%= @ssl_crl %>; <%- end -%> <% end -%> From 32f558891883d1fdf28569d093c5a9adb6ff2874 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 17:14:45 +0300 Subject: [PATCH 03/13] Fix default permissions for certificate files --- manifests/resource/vhost.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index de713b33b..4bb3cd987 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -609,33 +609,33 @@ # Check if the file has been defined before creating the file to # avoid the error when using wildcard cert on the multiple vhosts ensure_resource('file', "${nginx::config::conf_dir}/${cert}.crt", { - owner => $nginx::config::daemon_user, - mode => '0444', + owner => 'root', + mode => '0400', source => $ssl_cert, }) ensure_resource('file', "${nginx::config::conf_dir}/${cert}.key", { - owner => $nginx::config::daemon_user, - mode => '0440', + owner => 'root', + mode => '0400', source => $ssl_key, }) if ($ssl_dhparam != undef) { ensure_resource('file', "${nginx::config::conf_dir}/${cert}.dh.pem", { - owner => $nginx::config::daemon_user, - mode => '0440', + owner => 'root', + mode => '0400', source => $ssl_dhparam, }) } if ($ssl_stapling_file != undef) { ensure_resource('file', "${nginx::config::conf_dir}/${cert}.ocsp.resp", { - owner => $nginx::config::daemon_user, - mode => '0440', + owner => 'root', + mode => '0400', source => $ssl_stapling_file, }) } if ($ssl_trusted_cert != undef) { ensure_resource('file', "${nginx::config::conf_dir}/${cert}.trusted.crt", { - owner => $nginx::config::daemon_user, - mode => '0440', + owner => 'root', + mode => '0400', source => $ssl_trusted_cert, }) } From 29b3d643eaaadd5b93282ba346fbccabdb71ab88 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 17:25:37 +0300 Subject: [PATCH 04/13] Add proxy_cache_min_uses option --- manifests/resource/location.pp | 4 ++++ templates/vhost/locations/proxy.erb | 3 +++ 2 files changed, 7 insertions(+) diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index f03ca0c78..e2ed63659 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -30,6 +30,8 @@ # [*proxy_connect_timeout*] - Override the default the proxy connect timeout # value of 90 seconds # [*proxy_set_header*] - Array of vhost headers to set +# [*proxy_cache_min_uses*] - String: Sets the number of requests after which +# the response will be cached. # [*fastcgi*] - location of fastcgi (host:port) # [*fastcgi_param*] - Set additional custom fastcgi_params # [*fastcgi_params*] - optional alternative fastcgi_params file to use @@ -140,6 +142,7 @@ $proxy_read_timeout = $nginx::config::proxy_read_timeout, $proxy_connect_timeout = $nginx::config::proxy_connect_timeout, $proxy_set_header = $nginx::config::proxy_set_header, + $proxy_cache_min_uses = 1, $fastcgi = undef, $fastcgi_param = undef, $fastcgi_params = "${nginx::config::conf_dir}/fastcgi_params", @@ -284,6 +287,7 @@ if ($auth_basic_user_file != undef) { validate_string($auth_basic_user_file) } + validate_integer($proxy_cache_min_uses) if !is_integer($priority) { fail('$priority must be an integer.') } diff --git a/templates/vhost/locations/proxy.erb b/templates/vhost/locations/proxy.erb index be9ae08be..30f620e07 100644 --- a/templates/vhost/locations/proxy.erb +++ b/templates/vhost/locations/proxy.erb @@ -21,6 +21,9 @@ <% if @proxy_cache_valid -%> proxy_cache_valid <%= @proxy_cache_valid %>; <% end -%> +<% if @proxy_cache_min_uses %> + proxy_cache_min_uses <%= @proxy_cache_min_uses %>; +<% end %> <%- unless @rewrite_rules.nil? || @rewrite_rules.empty? -%> <%- @rewrite_rules.each do |rewrite_rule| -%> From 03805adac1429f550c6097bd16c74d739093d231 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 17:28:04 +0300 Subject: [PATCH 05/13] Added proxy_cache_min_uses pass from vhost --- manifests/resource/vhost.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 4bb3cd987..898cdcdb8 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -184,6 +184,7 @@ $proxy_set_header = [], $proxy_cache = false, $proxy_cache_valid = false, + $proxy_cache_min_uses = 1, $proxy_method = undef, $proxy_set_body = undef, $resolver = [], @@ -502,6 +503,7 @@ proxy_connect_timeout => $proxy_connect_timeout, proxy_cache => $proxy_cache, proxy_cache_valid => $proxy_cache_valid, + proxy_cache_min_uses => $proxy_cache_min_uses, proxy_method => $proxy_method, proxy_set_body => $proxy_set_body, fastcgi => $fastcgi, From 6bdafced9e7eba0a9fb39c392af8d29462e657c9 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 17:35:17 +0300 Subject: [PATCH 06/13] proxy_cache_use_stale parameter added --- manifests/resource/location.pp | 1 + manifests/resource/vhost.pp | 2 ++ templates/vhost/locations/proxy.erb | 3 +++ 3 files changed, 6 insertions(+) diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index e2ed63659..2fdfa6235 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -166,6 +166,7 @@ $try_files = undef, $proxy_cache = false, $proxy_cache_valid = false, + $proxy_cache_use_stale = 'off', $proxy_method = undef, $proxy_set_body = undef, $auth_basic = undef, diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 898cdcdb8..cbbc7442b 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -185,6 +185,7 @@ $proxy_cache = false, $proxy_cache_valid = false, $proxy_cache_min_uses = 1, + $proxy_cache_use_stale = 'off', $proxy_method = undef, $proxy_set_body = undef, $resolver = [], @@ -504,6 +505,7 @@ proxy_cache => $proxy_cache, proxy_cache_valid => $proxy_cache_valid, proxy_cache_min_uses => $proxy_cache_min_uses, + proxy_cache_use_stale => $proxy_cache_use_stale, proxy_method => $proxy_method, proxy_set_body => $proxy_set_body, fastcgi => $fastcgi, diff --git a/templates/vhost/locations/proxy.erb b/templates/vhost/locations/proxy.erb index 30f620e07..f86672aa4 100644 --- a/templates/vhost/locations/proxy.erb +++ b/templates/vhost/locations/proxy.erb @@ -24,6 +24,9 @@ <% if @proxy_cache_min_uses %> proxy_cache_min_uses <%= @proxy_cache_min_uses %>; <% end %> +<% if @proxy_cache_use_stale %> + proxy_cache_use_stale <%= @proxy_cache_use_stale %>; +<% end %> <%- unless @rewrite_rules.nil? || @rewrite_rules.empty? -%> <%- @rewrite_rules.each do |rewrite_rule| -%> From 50e59ec1f145d559710f7a7c0895584a1dbc4cec Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 17:59:26 +0300 Subject: [PATCH 07/13] Proxy ignore headers added --- manifests/resource/location.pp | 1 + manifests/resource/vhost.pp | 2 ++ templates/vhost/vhost_header.erb | 4 +++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 2fdfa6235..cb034cad1 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -142,6 +142,7 @@ $proxy_read_timeout = $nginx::config::proxy_read_timeout, $proxy_connect_timeout = $nginx::config::proxy_connect_timeout, $proxy_set_header = $nginx::config::proxy_set_header, + $proxy_ignore_headers = [], $proxy_cache_min_uses = 1, $fastcgi = undef, $fastcgi_param = undef, diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index cbbc7442b..9db43358a 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -181,6 +181,7 @@ $proxy_redirect = undef, $proxy_read_timeout = $nginx::config::proxy_read_timeout, $proxy_connect_timeout = $nginx::config::proxy_connect_timeout, + $proxy_ignore_headers = [], $proxy_set_header = [], $proxy_cache = false, $proxy_cache_valid = false, @@ -298,6 +299,7 @@ validate_string($proxy_redirect) } validate_array($proxy_set_header) + validate_array($proxy_ignore_headers) if ($proxy_cache != false) { validate_string($proxy_cache) } diff --git a/templates/vhost/vhost_header.erb b/templates/vhost/vhost_header.erb index c48ed6628..ea8062808 100644 --- a/templates/vhost/vhost_header.erb +++ b/templates/vhost/vhost_header.erb @@ -72,6 +72,9 @@ server { <% @proxy_set_header.each do |header| -%> proxy_set_header <%= header %>; <% end -%> +<% @proxy_ignore_headers.each do |header| -%> + proxy_ignore_headers <%= header %>; +<% end -%> <% if @add_header -%> <%- @add_header.each do |key,value| -%> add_header <%= key %> <%= value %>; @@ -94,4 +97,3 @@ server { access_log <%= @access_log_real %>; error_log <%= @error_log_real %>; - From 420d710a8094798a3430b01c0f20f86a44a3e348 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 18:05:43 +0300 Subject: [PATCH 08/13] Fix for validating proxy_min_cache_usage --- manifests/resource/location.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index cb034cad1..8ed5bdd07 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -289,7 +289,7 @@ if ($auth_basic_user_file != undef) { validate_string($auth_basic_user_file) } - validate_integer($proxy_cache_min_uses) + validate_re($proxy_cache_min_uses, '^\d+$') if !is_integer($priority) { fail('$priority must be an integer.') } From 1ae29fa444586f14c678f4ec32c465a24e7bb65e Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 23:20:23 +0300 Subject: [PATCH 09/13] More clear redirect to https --- templates/vhost/vhost_footer.erb | 30 +++++---- templates/vhost/vhost_header.erb | 106 +++++++++++++++---------------- 2 files changed, 68 insertions(+), 68 deletions(-) diff --git a/templates/vhost/vhost_footer.erb b/templates/vhost/vhost_footer.erb index 828f39698..9cf0433e3 100644 --- a/templates/vhost/vhost_footer.erb +++ b/templates/vhost/vhost_footer.erb @@ -6,22 +6,24 @@ <%# make sure that allow comes before deny by forcing the allow key (if it -%> <%# exists) to be first in the output order. The hash keys also need to be -%> <%# sorted so that the ordering is stable. -%> -<% if @vhost_cfg_append -%> - <%- @vhost_cfg_append.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; +<% if !@rewrite_to_https -%> + <% if @vhost_cfg_append -%> + <%- @vhost_cfg_append.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> + <%- if value.is_a?(Hash) -%> + <%- value.each do |subkey,subvalue| -%> + <%- Array(subvalue).each do |asubvalue| -%> + <%= key %> <%= subkey %> <%= asubvalue %>; + <%- end -%> + <%- end -%> + <%- else -%> + <%- Array(value).each do |asubvalue| -%> + <%= key %> <%= asubvalue %>; <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; <%- end -%> <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_append).each do |line| -%> - <%= line %> + <% end -%> + <% Array(@raw_append).each do |line| -%> + <%= line %> + <% end -%> <% end -%> } diff --git a/templates/vhost/vhost_header.erb b/templates/vhost/vhost_header.erb index ea8062808..daecb74d9 100644 --- a/templates/vhost/vhost_header.erb +++ b/templates/vhost/vhost_header.erb @@ -37,63 +37,61 @@ server { <% if defined? @gzip_types -%> gzip_types <%= @gzip_types %>; <% end -%> -<%# make sure that allow comes before deny by forcing the allow key (if it -%> -<%# exists) to be first in the output order. The hash keys also need to be -%> -<%# sorted so that the ordering is stable. -%> -<% if @vhost_cfg_prepend -%> - <%- @vhost_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; +<% if @rewrite_to_https -%> + return 301 https://$host<% if @ssl_port.to_i != 443 %>:<%= @ssl_port %><% end %>$request_uri; +<% else %> + <%# make sure that allow comes before deny by forcing the allow key (if it -%> + <%# exists) to be first in the output order. The hash keys also need to be -%> + <%# sorted so that the ordering is stable. -%> + <% if @vhost_cfg_prepend -%> + <%- @vhost_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> + <%- if value.is_a?(Hash) -%> + <%- value.each do |subkey,subvalue| -%> + <%- Array(subvalue).each do |asubvalue| -%> + <%= key %> <%= subkey %> <%= asubvalue %>; + <%- end -%> + <%- end -%> + <%- else -%> + <%- Array(value).each do |asubvalue| -%> + <%= key %> <%= asubvalue %>; <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; <%- end -%> <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_prepend).each do |line| -%> - <%= line %> + <% end -%> + <% Array(@raw_prepend).each do |line| -%> + <%= line %> + <% end %> + <% if @root -%> + root <%= @root %>; + <% end -%> + <% if @passenger_cgi_param -%> + <%- @passenger_cgi_param.keys.sort.each do |key| -%> + passenger_set_cgi_param <%= key %> <%= @passenger_cgi_param[key] %>; + <%- end -%> + <% end -%> + <% if Array(@resolver).count > 0 -%> + resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>; + <% end -%> + <% @proxy_set_header.each do |header| -%> + proxy_set_header <%= header %>; + <% end -%> + <% @proxy_ignore_headers.each do |header| -%> + proxy_ignore_headers <%= header %>; + <% end -%> + <% if @add_header -%> + <%- @add_header.each do |key,value| -%> + add_header <%= key %> <%= value %>; + <%- end -%> + <% end -%> + <% if @index_files.count > 0 -%> + index <% Array(@index_files).each do |i| %> <%= i %><% end %>; + <% end -%> + <% if defined? @log_by_lua -%> + log_by_lua '<%= @log_by_lua %>'; + <% end -%> + <% if defined? @log_by_lua_file -%> + log_by_lua_file "<%= @log_by_lua_file %>"; + <% end -%> <% end %> -<% if @root -%> - root <%= @root %>; -<% end -%> -<% if @passenger_cgi_param -%> - <%- @passenger_cgi_param.keys.sort.each do |key| -%> - passenger_set_cgi_param <%= key %> <%= @passenger_cgi_param[key] %>; - <%- end -%> -<% end -%> -<% if Array(@resolver).count > 0 -%> - resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>; -<% end -%> -<% @proxy_set_header.each do |header| -%> - proxy_set_header <%= header %>; -<% end -%> -<% @proxy_ignore_headers.each do |header| -%> - proxy_ignore_headers <%= header %>; -<% end -%> -<% if @add_header -%> - <%- @add_header.each do |key,value| -%> - add_header <%= key %> <%= value %>; - <%- end -%> -<% end -%> -<% if @rewrite_to_https -%> - if ($ssl_protocol = "") { - return 301 https://$host<% if @ssl_port.to_i != 443 %>:<%= @ssl_port %><% end %>$request_uri; - } -<% end -%> -<% if @index_files.count > 0 -%> - index <% Array(@index_files).each do |i| %> <%= i %><% end %>; -<% end -%> -<% if defined? @log_by_lua -%> - log_by_lua '<%= @log_by_lua %>'; -<% end -%> -<% if defined? @log_by_lua_file -%> - log_by_lua_file "<%= @log_by_lua_file %>"; -<% end -%> - access_log <%= @access_log_real %>; error_log <%= @error_log_real %>; From 0357495ee69427563b8ca1412e4f9f7920284335 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 21:25:39 +0300 Subject: [PATCH 10/13] Fix for template Conflicts: templates/vhost/vhost_ssl_header.erb --- templates/vhost/vhost_ssl_header.erb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb index b45c76a0d..4d29c2df8 100644 --- a/templates/vhost/vhost_ssl_header.erb +++ b/templates/vhost/vhost_ssl_header.erb @@ -17,6 +17,13 @@ server { ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt; ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key; + +<% if defined? @ssl_client_certificate %> + ssl_client_certificate <%= @ssl_client_certificate %>; +<% end %> +<% if defined? @ssl_verify_client %> + ssl_verify_client <%= @ssl_verify_client %>; +<% end %> <% if defined? @ssl_dhparam -%> ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem; <% end -%> From 43f878cb126c937ce9c9491e0b0b8804e71af63c Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Tue, 28 Oct 2014 21:21:43 +0300 Subject: [PATCH 11/13] Fixes to ssl support Conflicts: templates/vhost/vhost_ssl_header.erb --- manifests/resource/vhost.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 9db43358a..c337ba5c9 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -71,6 +71,9 @@ # certificates in the PEM format used to verify client certificates and # OCSP responses if ssl_stapling is enabled. # [*ssl_crl*] - String: Specifies CRL path in file system +# [*ssl_client_certificate*] - String: CA to verify client certs +# [*ssl_verify_client*] - String: Enables verification of client certificates. +# The verification result is stored in the $ssl_client_verify variable. # [*spdy*] - Toggles SPDY protocol. # [*server_name*] - List of vhostnames for which this vhost will # respond. Default [$name]. @@ -176,6 +179,8 @@ $ssl_session_timeout = '5m', $ssl_trusted_cert = undef, $ssl_crl = undef, + $ssl_client_certificate = undef, + $ssl_verify_client = 'off', $spdy = $nginx::config::spdy, $proxy = undef, $proxy_redirect = undef, @@ -290,6 +295,7 @@ if ($ssl_crl != undef) { validate_string($ssl_crl) } + validate_string($ssl_verify_client) validate_string($spdy) if ($proxy != undef) { validate_string($proxy) From 2378340a59f340fa294215835528234a58a76858 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Wed, 29 Oct 2014 11:05:53 +0300 Subject: [PATCH 12/13] Tests for proxy_ignore_headers --- spec/defines/resource_vhost_spec.rb | 13 ++++++++++--- templates/vhost/locations/proxy.erb | 7 +++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb index fa687ee8f..70c669f92 100644 --- a/spec/defines/resource_vhost_spec.rb +++ b/spec/defines/resource_vhost_spec.rb @@ -207,13 +207,21 @@ ' proxy_set_header header2;', ], }, + { + :title => 'should set proxy_ignore_headers', + :attr => 'proxy_ignore_headers', + :value => ['header1', 'header2'], + :match => [ + ' proxy_ignore_header header1;', + ' proxy_ignore_header header2;', + ] + }, { :title => 'should rewrite to HTTPS', :attr => 'rewrite_to_https', :value => true, :match => [ - ' if ($ssl_protocol = "") {', - ' return 301 https://$host$request_uri;', + %r'\s*return\s+301\s+https://\$host\$request_uri;', ], }, { @@ -221,7 +229,6 @@ :attr => 'rewrite_to_https', :value => false, :notmatch => [ - %r'if \(\$ssl_protocol = ""\) \{', %r'\s+return 301 https://\$host\$request_uri;', ], }, diff --git a/templates/vhost/locations/proxy.erb b/templates/vhost/locations/proxy.erb index f86672aa4..8328037df 100644 --- a/templates/vhost/locations/proxy.erb +++ b/templates/vhost/locations/proxy.erb @@ -14,6 +14,13 @@ proxy_set_header <%= header %>; <%- end -%> +<% end -%> +<% unless @proxy_ignore_headers.nil? -%> + + <%- @proxy_ignore_headers.each do |header| -%> + proxy_ignore_header <%= header %>; + <%- end -%> + <% end -%> <% if @proxy_cache -%> proxy_cache <%= @proxy_cache %>; From 4bccfb17c3b319fba2c77c944685b12f4ecda7c2 Mon Sep 17 00:00:00 2001 From: Igor Shishkin Date: Fri, 5 Dec 2014 20:55:30 +0300 Subject: [PATCH 13/13] Fix type in proxy_ignore_headers attribute --- templates/vhost/locations/proxy.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vhost/locations/proxy.erb b/templates/vhost/locations/proxy.erb index 8328037df..4745b28e3 100644 --- a/templates/vhost/locations/proxy.erb +++ b/templates/vhost/locations/proxy.erb @@ -18,7 +18,7 @@ <% unless @proxy_ignore_headers.nil? -%> <%- @proxy_ignore_headers.each do |header| -%> - proxy_ignore_header <%= header %>; + proxy_ignore_headers <%= header %>; <%- end -%> <% end -%>