Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl_crl option support added #493

Closed
wants to merge 13 commits into from
6 changes: 6 additions & 0 deletions manifests/resource/location.pp
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
# [*proxy_connect_timeout*] - Override the default the proxy connect timeout
# value of 90 seconds
# [*proxy_set_header*] - Array of vhost headers to set
# [*proxy_cache_min_uses*] - String: Sets the number of requests after which
# the response will be cached.
# [*fastcgi*] - location of fastcgi (host:port)
# [*fastcgi_param*] - Set additional custom fastcgi_params
# [*fastcgi_params*] - optional alternative fastcgi_params file to use
Expand Down Expand Up @@ -140,6 +142,8 @@
$proxy_read_timeout = $nginx::config::proxy_read_timeout,
$proxy_connect_timeout = $nginx::config::proxy_connect_timeout,
$proxy_set_header = $nginx::config::proxy_set_header,
$proxy_ignore_headers = [],
$proxy_cache_min_uses = 1,
$fastcgi = undef,
$fastcgi_param = undef,
$fastcgi_params = "${nginx::config::conf_dir}/fastcgi_params",
Expand All @@ -163,6 +167,7 @@
$try_files = undef,
$proxy_cache = false,
$proxy_cache_valid = false,
$proxy_cache_use_stale = 'off',
$proxy_method = undef,
$proxy_set_body = undef,
$auth_basic = undef,
Expand Down Expand Up @@ -284,6 +289,7 @@
if ($auth_basic_user_file != undef) {
validate_string($auth_basic_user_file)
}
validate_re($proxy_cache_min_uses, '^\d+$')
if !is_integer($priority) {
fail('$priority must be an integer.')
}
Expand Down
37 changes: 27 additions & 10 deletions manifests/resource/vhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@
# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA
# certificates in the PEM format used to verify client certificates and
# OCSP responses if ssl_stapling is enabled.
# [*ssl_crl*] - String: Specifies CRL path in file system
# [*ssl_client_certificate*] - String: CA to verify client certs
# [*ssl_verify_client*] - String: Enables verification of client certificates.
# The verification result is stored in the $ssl_client_verify variable.
# [*spdy*] - Toggles SPDY protocol.
# [*server_name*] - List of vhostnames for which this vhost will
# respond. Default [$name].
Expand Down Expand Up @@ -174,14 +178,20 @@
$ssl_stapling_verify = false,
$ssl_session_timeout = '5m',
$ssl_trusted_cert = undef,
$ssl_crl = undef,
$ssl_client_certificate = undef,
$ssl_verify_client = 'off',
$spdy = $nginx::config::spdy,
$proxy = undef,
$proxy_redirect = undef,
$proxy_read_timeout = $nginx::config::proxy_read_timeout,
$proxy_connect_timeout = $nginx::config::proxy_connect_timeout,
$proxy_ignore_headers = [],
$proxy_set_header = [],
$proxy_cache = false,
$proxy_cache_valid = false,
$proxy_cache_min_uses = 1,
$proxy_cache_use_stale = 'off',
$proxy_method = undef,
$proxy_set_body = undef,
$resolver = [],
Expand Down Expand Up @@ -282,6 +292,10 @@
if ($ssl_trusted_cert != undef) {
validate_string($ssl_trusted_cert)
}
if ($ssl_crl != undef) {
validate_string($ssl_crl)
}
validate_string($ssl_verify_client)
validate_string($spdy)
if ($proxy != undef) {
validate_string($proxy)
Expand All @@ -291,6 +305,7 @@
validate_string($proxy_redirect)
}
validate_array($proxy_set_header)
validate_array($proxy_ignore_headers)
if ($proxy_cache != false) {
validate_string($proxy_cache)
}
Expand Down Expand Up @@ -497,6 +512,8 @@
proxy_connect_timeout => $proxy_connect_timeout,
proxy_cache => $proxy_cache,
proxy_cache_valid => $proxy_cache_valid,
proxy_cache_min_uses => $proxy_cache_min_uses,
proxy_cache_use_stale => $proxy_cache_use_stale,
proxy_method => $proxy_method,
proxy_set_body => $proxy_set_body,
fastcgi => $fastcgi,
Expand Down Expand Up @@ -604,33 +621,33 @@
# Check if the file has been defined before creating the file to
# avoid the error when using wildcard cert on the multiple vhosts
ensure_resource('file', "${nginx::config::conf_dir}/${cert}.crt", {
owner => $nginx::config::daemon_user,
mode => '0444',
owner => 'root',
mode => '0400',
source => $ssl_cert,
})
ensure_resource('file', "${nginx::config::conf_dir}/${cert}.key", {
owner => $nginx::config::daemon_user,
mode => '0440',
owner => 'root',
mode => '0400',
source => $ssl_key,
})
if ($ssl_dhparam != undef) {
ensure_resource('file', "${nginx::config::conf_dir}/${cert}.dh.pem", {
owner => $nginx::config::daemon_user,
mode => '0440',
owner => 'root',
mode => '0400',
source => $ssl_dhparam,
})
}
if ($ssl_stapling_file != undef) {
ensure_resource('file', "${nginx::config::conf_dir}/${cert}.ocsp.resp", {
owner => $nginx::config::daemon_user,
mode => '0440',
owner => 'root',
mode => '0400',
source => $ssl_stapling_file,
})
}
if ($ssl_trusted_cert != undef) {
ensure_resource('file', "${nginx::config::conf_dir}/${cert}.trusted.crt", {
owner => $nginx::config::daemon_user,
mode => '0440',
owner => 'root',
mode => '0400',
source => $ssl_trusted_cert,
})
}
Expand Down
13 changes: 10 additions & 3 deletions spec/defines/resource_vhost_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -207,21 +207,28 @@
' proxy_set_header header2;',
],
},
{
:title => 'should set proxy_ignore_headers',
:attr => 'proxy_ignore_headers',
:value => ['header1', 'header2'],
:match => [
' proxy_ignore_header header1;',
' proxy_ignore_header header2;',
]
},
{
:title => 'should rewrite to HTTPS',
:attr => 'rewrite_to_https',
:value => true,
:match => [
' if ($ssl_protocol = "") {',
' return 301 https://$host$request_uri;',
%r'\s*return\s+301\s+https://\$host\$request_uri;',
],
},
{
:title => 'should not rewrite to HTTPS',
:attr => 'rewrite_to_https',
:value => false,
:notmatch => [
%r'if \(\$ssl_protocol = ""\) \{',
%r'\s+return 301 https://\$host\$request_uri;',
],
},
Expand Down
13 changes: 13 additions & 0 deletions templates/vhost/locations/proxy.erb
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,26 @@
proxy_set_header <%= header %>;
<%- end -%>

<% end -%>
<% unless @proxy_ignore_headers.nil? -%>

<%- @proxy_ignore_headers.each do |header| -%>
proxy_ignore_headers <%= header %>;
<%- end -%>

<% end -%>
<% if @proxy_cache -%>
proxy_cache <%= @proxy_cache %>;
<% end -%>
<% if @proxy_cache_valid -%>
proxy_cache_valid <%= @proxy_cache_valid %>;
<% end -%>
<% if @proxy_cache_min_uses %>
proxy_cache_min_uses <%= @proxy_cache_min_uses %>;
<% end %>
<% if @proxy_cache_use_stale %>
proxy_cache_use_stale <%= @proxy_cache_use_stale %>;
<% end %>
<%- unless @rewrite_rules.nil? || @rewrite_rules.empty? -%>

<%- @rewrite_rules.each do |rewrite_rule| -%>
Expand Down
30 changes: 16 additions & 14 deletions templates/vhost/vhost_footer.erb
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,24 @@
<%# make sure that allow comes before deny by forcing the allow key (if it -%>
<%# exists) to be first in the output order. The hash keys also need to be -%>
<%# sorted so that the ordering is stable. -%>
<% if @vhost_cfg_append -%>
<%- @vhost_cfg_append.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%>
<%- if value.is_a?(Hash) -%>
<%- value.each do |subkey,subvalue| -%>
<%- Array(subvalue).each do |asubvalue| -%>
<%= key %> <%= subkey %> <%= asubvalue %>;
<% if !@rewrite_to_https -%>
<% if @vhost_cfg_append -%>
<%- @vhost_cfg_append.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%>
<%- if value.is_a?(Hash) -%>
<%- value.each do |subkey,subvalue| -%>
<%- Array(subvalue).each do |asubvalue| -%>
<%= key %> <%= subkey %> <%= asubvalue %>;
<%- end -%>
<%- end -%>
<%- else -%>
<%- Array(value).each do |asubvalue| -%>
<%= key %> <%= asubvalue %>;
<%- end -%>
<%- end -%>
<%- else -%>
<%- Array(value).each do |asubvalue| -%>
<%= key %> <%= asubvalue %>;
<%- end -%>
<%- end -%>
<%- end -%>
<% end -%>
<% Array(@raw_append).each do |line| -%>
<%= line %>
<% end -%>
<% Array(@raw_append).each do |line| -%>
<%= line %>
<% end -%>
<% end -%>
}
104 changes: 52 additions & 52 deletions templates/vhost/vhost_header.erb
Original file line number Diff line number Diff line change
Expand Up @@ -37,61 +37,61 @@ server {
<% if defined? @gzip_types -%>
gzip_types <%= @gzip_types %>;
<% end -%>
<%# make sure that allow comes before deny by forcing the allow key (if it -%>
<%# exists) to be first in the output order. The hash keys also need to be -%>
<%# sorted so that the ordering is stable. -%>
<% if @vhost_cfg_prepend -%>
<%- @vhost_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%>
<%- if value.is_a?(Hash) -%>
<%- value.each do |subkey,subvalue| -%>
<%- Array(subvalue).each do |asubvalue| -%>
<%= key %> <%= subkey %> <%= asubvalue %>;
<% if @rewrite_to_https -%>
return 301 https://$host<% if @ssl_port.to_i != 443 %>:<%= @ssl_port %><% end %>$request_uri;
<% else %>
<%# make sure that allow comes before deny by forcing the allow key (if it -%>
<%# exists) to be first in the output order. The hash keys also need to be -%>
<%# sorted so that the ordering is stable. -%>
<% if @vhost_cfg_prepend -%>
<%- @vhost_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%>
<%- if value.is_a?(Hash) -%>
<%- value.each do |subkey,subvalue| -%>
<%- Array(subvalue).each do |asubvalue| -%>
<%= key %> <%= subkey %> <%= asubvalue %>;
<%- end -%>
<%- end -%>
<%- else -%>
<%- Array(value).each do |asubvalue| -%>
<%= key %> <%= asubvalue %>;
<%- end -%>
<%- end -%>
<%- else -%>
<%- Array(value).each do |asubvalue| -%>
<%= key %> <%= asubvalue %>;
<%- end -%>
<%- end -%>
<%- end -%>
<% end -%>
<% Array(@raw_prepend).each do |line| -%>
<%= line %>
<% end -%>
<% Array(@raw_prepend).each do |line| -%>
<%= line %>
<% end %>
<% if @root -%>
root <%= @root %>;
<% end -%>
<% if @passenger_cgi_param -%>
<%- @passenger_cgi_param.keys.sort.each do |key| -%>
passenger_set_cgi_param <%= key %> <%= @passenger_cgi_param[key] %>;
<%- end -%>
<% end -%>
<% if Array(@resolver).count > 0 -%>
resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>;
<% end -%>
<% @proxy_set_header.each do |header| -%>
proxy_set_header <%= header %>;
<% end -%>
<% @proxy_ignore_headers.each do |header| -%>
proxy_ignore_headers <%= header %>;
<% end -%>
<% if @add_header -%>
<%- @add_header.each do |key,value| -%>
add_header <%= key %> <%= value %>;
<%- end -%>
<% end -%>
<% if @index_files.count > 0 -%>
index <% Array(@index_files).each do |i| %> <%= i %><% end %>;
<% end -%>
<% if defined? @log_by_lua -%>
log_by_lua '<%= @log_by_lua %>';
<% end -%>
<% if defined? @log_by_lua_file -%>
log_by_lua_file "<%= @log_by_lua_file %>";
<% end -%>
<% end %>
<% if @root -%>
root <%= @root %>;
<% end -%>
<% if @passenger_cgi_param -%>
<%- @passenger_cgi_param.keys.sort.each do |key| -%>
passenger_set_cgi_param <%= key %> <%= @passenger_cgi_param[key] %>;
<%- end -%>
<% end -%>
<% if Array(@resolver).count > 0 -%>
resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>;
<% end -%>
<% @proxy_set_header.each do |header| -%>
proxy_set_header <%= header %>;
<% end -%>
<% if @add_header -%>
<%- @add_header.each do |key,value| -%>
add_header <%= key %> <%= value %>;
<%- end -%>
<% end -%>
<% if @rewrite_to_https -%>
if ($ssl_protocol = "") {
return 301 https://$host<% if @ssl_port.to_i != 443 %>:<%= @ssl_port %><% end %>$request_uri;
}
<% end -%>
<% if @index_files.count > 0 -%>
index <% Array(@index_files).each do |i| %> <%= i %><% end %>;
<% end -%>
<% if defined? @log_by_lua -%>
log_by_lua '<%= @log_by_lua %>';
<% end -%>
<% if defined? @log_by_lua_file -%>
log_by_lua_file "<%= @log_by_lua_file %>";
<% end -%>

access_log <%= @access_log_real %>;
error_log <%= @error_log_real %>;

10 changes: 10 additions & 0 deletions templates/vhost/vhost_ssl_header.erb
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,13 @@ server {

ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;

<% if defined? @ssl_client_certificate %>
ssl_client_certificate <%= @ssl_client_certificate %>;
<% end %>
<% if defined? @ssl_verify_client %>
ssl_verify_client <%= @ssl_verify_client %>;
<% end %>
<% if defined? @ssl_dhparam -%>
ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
<% end -%>
Expand All @@ -41,6 +48,9 @@ server {
<%- if defined? @ssl_trusted_cert -%>
ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt;
<%- end -%>
<%- if defined? @ssl_crl -%>
ssl_crl <%= @ssl_crl %>;
<%- end -%>

<% end -%>
<% if Array(@resolver).count > 0 -%>
Expand Down