From d149c4393667db17396ee3e8687946c361eba5c9 Mon Sep 17 00:00:00 2001 From: Tom Booth Date: Wed, 21 Aug 2013 16:29:31 +0100 Subject: [PATCH 1/8] Fix SSL cert and key permissions It is bad practice to use 644 on a private key so we have migrated the key mode to 0400. The cert is already avaliable publicly through nginx so we have allowed it 0444. Nothing should need to write either the cert of the key after puppet has run, so we have denied any writing. --- manifests/resource/vhost.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index f5005d0..c41241b 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -213,11 +213,13 @@ define nginx::resource::vhost ( # Check if the file has been defined before creating the file to # avoid the error when using wildcard cert on the multiple vhosts ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", { - mode => '0644', + owner => $nginx::params::nx_daemon_user, + mode => '0444', source => $ssl_cert, }) ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", { - mode => '0644', + owner => $nginx::params::nx_daemon_user, + mode => '0400', source => $ssl_key, }) } From af7ceb0eec938678ac4d966e2f0c63a416c9717f Mon Sep 17 00:00:00 2001 From: Tom Booth Date: Thu, 22 Aug 2013 22:13:53 +0100 Subject: [PATCH 2/8] Give key's group permission to read --- manifests/resource/vhost.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index c41241b..acb19bd 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -219,7 +219,7 @@ define nginx::resource::vhost ( }) ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", { owner => $nginx::params::nx_daemon_user, - mode => '0400', + mode => '0440', source => $ssl_key, }) } From 6934271b8553cf606bcd26927f55c2ca6f83097f Mon Sep 17 00:00:00 2001 From: Arthur Leonard Andersen Date: Sun, 21 Jul 2013 17:20:07 +0200 Subject: [PATCH 3/8] Use correct port for www rewrite --- manifests/resource/vhost.pp | 2 +- templates/vhost/vhost_ssl_footer.erb | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 templates/vhost/vhost_ssl_footer.erb diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index f5005d0..64fe62e 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -202,7 +202,7 @@ define nginx::resource::vhost ( 'absent' => absent, default => 'file', }, - content => template('nginx/vhost/vhost_footer.erb'), + content => template('nginx/vhost/vhost_ssl_footer.erb'), notify => Class['nginx::service'], } diff --git a/templates/vhost/vhost_ssl_footer.erb b/templates/vhost/vhost_ssl_footer.erb new file mode 100644 index 0000000..2a203ee --- /dev/null +++ b/templates/vhost/vhost_ssl_footer.erb @@ -0,0 +1,15 @@ +<% if @include_files %><% @include_files.each do |file| -%> +include <%= file %>; +<% end -%><% end -%> +<% if @vhost_cfg_append -%><% vhost_cfg_append.each do |key,value| -%> + <%= key %> <%= value %>; +<% end -%> +<% end -%> +} +<% if @rewrite_www_to_non_www -%> +server { + listen <%= @listen_ip %>:<%= @ssl_port %> ssl; + server_name www.<%= @name.gsub(/^www\./, '') %>; + rewrite ^ https://<%= @name.gsub(/^www\./, '') %>$uri permanent; +} +<% end %> From fda2969c208079fdc69975bc25938d0f523cc948 Mon Sep 17 00:00:00 2001 From: Omar Tamer Date: Wed, 4 Sep 2013 17:37:18 +0100 Subject: [PATCH 4/8] make client_max_body_size configurable --- manifests/config.pp | 1 + manifests/init.pp | 2 ++ templates/conf.d/proxy.conf.erb | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index 000afbe..24836d0 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -27,6 +27,7 @@ class nginx::config( $proxy_http_version = $nginx::params::nx_proxy_http_version, $types_hash_max_size = $nginx::params::nx_types_hash_max_size, $types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size, + $client_max_body_size = $nginx::params::nx_client_max_body_size, $http_cfg_append = $nginx::params::nx_http_cfg_append ) inherits nginx::params { File { diff --git a/manifests/init.pp b/manifests/init.pp index 49651fd..73079e6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -43,6 +43,7 @@ class nginx ( $service_restart = $nginx::params::nx_service_restart, $mail = $nginx::params::nx_mail, $server_tokens = $nginx::params::nx_server_tokens, + $client_max_body_size = $nginx::params::nx_client_max_body_size, $http_cfg_append = $nginx::params::nx_http_cfg_append, $nginx_vhosts = {}, $nginx_upstreams = {}, @@ -67,6 +68,7 @@ class nginx ( proxy_cache_inactive => $proxy_cache_inactive, confd_purge => $confd_purge, server_tokens => $server_tokens, + client_max_body_size => $client_max_body_size, http_cfg_append => $http_cfg_append, require => Class['nginx::package'], notify => Class['nginx::service'], diff --git a/templates/conf.d/proxy.conf.erb b/templates/conf.d/proxy.conf.erb index 8225879..b1d9665 100644 --- a/templates/conf.d/proxy.conf.erb +++ b/templates/conf.d/proxy.conf.erb @@ -1,5 +1,5 @@ proxy_redirect <%= scope.lookupvar('nginx::params::nx_proxy_redirect') %>; -client_max_body_size <%= scope.lookupvar('nginx::params::nx_client_max_body_size') %>; +client_max_body_size <%= @client_max_body_size %>; client_body_buffer_size <%= scope.lookupvar('nginx::params::nx_client_body_buffer_size') %>; proxy_connect_timeout <%= scope.lookupvar('nginx::params::nx_proxy_connect_timeout') %>; proxy_send_timeout <%= scope.lookupvar('nginx::params::nx_proxy_send_timeout') %>; From 531e523b0ab71f3032b7af04222e3a1fd7eba5b1 Mon Sep 17 00:00:00 2001 From: Ashley Penney Date: Wed, 4 Sep 2013 17:27:58 -0400 Subject: [PATCH 5/8] Weird invalid characters in this comment. --- manifests/resource/location.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 3018dcb..3aee89e 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -14,8 +14,8 @@ # with nginx::resource::upstream # [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds # [*fastcgi*] - location of fastcgi (host:port) -# [*fastcgi_params*] - optional alternative fastcgi_params file to use -# [*fastcgi_script*] - optional SCRIPT_FILE parameter +# [*fastcgi_params*] - optional alternative fastcgi_params file to use +# [*fastcgi_script*] - optional SCRIPT_FILE parameter # [*fastcgi_split_path*] - Allows settings of fastcgi_split_path_info so that you can split the script_name and path_info via regex # [*ssl*] - Indicates whether to setup SSL bindings for this location. # [*ssl_only*] - Required if the SSL and normal vHost have the same port. From 46a17f97c5d6c9a3f89991b2c60d8011428faca1 Mon Sep 17 00:00:00 2001 From: Ashley Penney Date: Wed, 4 Sep 2013 17:57:41 -0400 Subject: [PATCH 6/8] Refactor to use puppetlabs-apt. This is just the first step of fixing up the repo stuff and allowing the module to take in a package_name, but this helps replace the execs{} with puppetlabs-apt. Tested on: Debian 7, Ubuntu 12.04. --- Gemfile.lock | 31 +++++++++++++++++++++++++++++++ Modulefile | 1 + manifests/package/debian.pp | 23 ++++++++--------------- 3 files changed, 40 insertions(+), 15 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b8145a8..d78d902 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,6 +1,7 @@ GEM remote: https://rubygems.org/ specs: + builder (3.2.2) diff-lcs (1.2.4) facter (1.7.1) hiera (1.2.1) @@ -8,6 +9,7 @@ GEM highline (1.6.19) json (1.8.0) json_pure (1.8.0) + kwalify (0.7.2) librarian (0.1.0) highline thor (~> 0.15) @@ -19,6 +21,9 @@ GEM mime-types (1.23) mocha (0.14.0) metaclass (~> 0.0.1) + net-scp (1.1.2) + net-ssh (>= 2.6.5) + net-ssh (2.6.8) nokogiri (1.5.9) puppet (3.2.1) facter (~> 1.6) @@ -37,6 +42,10 @@ GEM rspec (>= 2.9.0) rspec-puppet (>= 0.1.1) rake (10.0.4) + rbvmomi (1.6.0) + builder + nokogiri (>= 1.4.1) + trollop rest-client (1.6.7) mime-types (>= 1.16) rgen (0.6.2) @@ -50,7 +59,26 @@ GEM rspec-mocks (2.13.1) rspec-puppet (0.1.6) rspec + rspec-system (2.2.0) + kwalify (~> 0.7.2) + net-scp (~> 1.1) + net-ssh (~> 2.6) + nokogiri (~> 1.5.9) + rbvmomi (~> 1.6) + rspec (~> 2.13) + systemu (~> 2.5) + rspec-system-puppet (2.2.0) + rspec-system (~> 2.0) + rspec-system-serverspec (1.0.0) + rspec-system (~> 2.0) + serverspec (~> 0.6.0) + serverspec (0.6.3) + highline + net-ssh + rspec (~> 2.0) + systemu (2.5.2) thor (0.18.1) + trollop (2.0) PLATFORMS ruby @@ -63,3 +91,6 @@ DEPENDENCIES puppetlabs_spec_helper rake (>= 0.9.2.2) rspec-puppet (>= 0.1.3) + rspec-system-puppet + rspec-system-serverspec + serverspec diff --git a/Modulefile b/Modulefile index 7b80855..5e5a2f1 100644 --- a/Modulefile +++ b/Modulefile @@ -8,3 +8,4 @@ description 'This module can be used for basic NGINX Management' project_page 'http://github.com/jfryman/puppet-nginx' dependency 'puppetlabs/stdlib', '>= 0.1.6' +dependency 'puppetlabs/apt', '>= 1.0.0' diff --git a/manifests/package/debian.pp b/manifests/package/debian.pp index 983d182..bb2b8b5 100644 --- a/manifests/package/debian.pp +++ b/manifests/package/debian.pp @@ -14,7 +14,7 @@ # # This class file is not called directly class nginx::package::debian { - $operatingsystem_lowercase = inline_template('<%= @operatingsystem.downcase %>') + $distro = downcase($::operatingsystem) package { 'nginx': ensure => $nginx::package_ensure, @@ -23,20 +23,13 @@ class nginx::package::debian { anchor { 'nginx::apt_repo' : } - file { '/etc/apt/sources.list.d/nginx.list': - ensure => present, - content => "deb http://nginx.org/packages/${operatingsystem_lowercase}/ ${::lsbdistcodename} nginx - deb-src http://nginx.org/packages/${operatingsystem_lowercase}/ ${::lsbdistcodename} nginx - ", - mode => '0444', - require => Exec['add_nginx_apt_key'], - before => Anchor['nginx::apt_repo'], - } + include '::apt' - exec { 'add_nginx_apt_key': - command => '/usr/bin/wget http://nginx.org/keys/nginx_signing.key -O - | /usr/bin/apt-key add -', - unless => '/usr/bin/apt-key list | /bin/grep -q nginx', - before => Anchor['nginx::apt_repo'], + apt::source { 'nginx': + location => "http://nginx.org/packages/${distro}", + repos => 'nginx', + key => '7BD9BF62', + key_source => 'http://nginx.org/keys/nginx_signing.key', } exec { 'apt_get_update_for_nginx': @@ -44,7 +37,7 @@ class nginx::package::debian { timeout => 240, returns => [ 0, 100 ], refreshonly => true, - subscribe => File['/etc/apt/sources.list.d/nginx.list'], + subscribe => Apt::Source['nginx'], before => Anchor['nginx::apt_repo'], } } From 53b4986b5d142c6461acb7e4eb307ed4a82822a3 Mon Sep 17 00:00:00 2001 From: Omar Z Date: Thu, 5 Sep 2013 22:57:50 +0100 Subject: [PATCH 7/8] make proxy_buffers configurable --- manifests/config.pp | 1 + manifests/init.pp | 2 ++ templates/conf.d/proxy.conf.erb | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index 24836d0..4bcce90 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -28,6 +28,7 @@ class nginx::config( $types_hash_max_size = $nginx::params::nx_types_hash_max_size, $types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size, $client_max_body_size = $nginx::params::nx_client_max_body_size, + $proxy_buffers = $nginx::params::nx_proxy_buffers, $http_cfg_append = $nginx::params::nx_http_cfg_append ) inherits nginx::params { File { diff --git a/manifests/init.pp b/manifests/init.pp index febff76..41dc122 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -45,6 +45,7 @@ class nginx ( $mail = $nginx::params::nx_mail, $server_tokens = $nginx::params::nx_server_tokens, $client_max_body_size = $nginx::params::nx_client_max_body_size, + $proxy_buffers = $nginx::params::nx_proxy_buffers, $http_cfg_append = $nginx::params::nx_http_cfg_append, $nginx_vhosts = {}, $nginx_upstreams = {}, @@ -70,6 +71,7 @@ class nginx ( confd_purge => $confd_purge, server_tokens => $server_tokens, client_max_body_size => $client_max_body_size, + proxy_buffers => $proxy_buffers, http_cfg_append => $http_cfg_append, require => Class['nginx::package'], notify => Class['nginx::service'], diff --git a/templates/conf.d/proxy.conf.erb b/templates/conf.d/proxy.conf.erb index b1d9665..af114ad 100644 --- a/templates/conf.d/proxy.conf.erb +++ b/templates/conf.d/proxy.conf.erb @@ -4,7 +4,7 @@ client_body_buffer_size <%= scope.lookupvar('nginx::params::nx_client_body_buffe proxy_connect_timeout <%= scope.lookupvar('nginx::params::nx_proxy_connect_timeout') %>; proxy_send_timeout <%= scope.lookupvar('nginx::params::nx_proxy_send_timeout') %>; proxy_read_timeout <%= scope.lookupvar('nginx::params::nx_proxy_read_timeout') %>; -proxy_buffers <%= scope.lookupvar('nginx::params::nx_proxy_buffers') %>; +proxy_buffers <%= @proxy_buffers %>; proxy_http_version <%= @proxy_http_version %>; <% @proxy_set_header.each do |header| %> proxy_set_header <%= header %>;<% end %> From 4da3e462076dff6fd151e37817090ca11031f324 Mon Sep 17 00:00:00 2001 From: Omar Z Date: Thu, 5 Sep 2013 23:15:45 +0100 Subject: [PATCH 8/8] added proxy_buffer_size with default value of 8k --- manifests/config.pp | 3 ++- manifests/init.pp | 2 ++ manifests/params.pp | 1 + templates/conf.d/proxy.conf.erb | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index 4bcce90..230a663 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -29,7 +29,8 @@ class nginx::config( $types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size, $client_max_body_size = $nginx::params::nx_client_max_body_size, $proxy_buffers = $nginx::params::nx_proxy_buffers, - $http_cfg_append = $nginx::params::nx_http_cfg_append + $http_cfg_append = $nginx::params::nx_http_cfg_append, + $proxy_buffer_size = $nginx::params::nx_proxy_buffer_size, ) inherits nginx::params { File { owner => 'root', diff --git a/manifests/init.pp b/manifests/init.pp index 41dc122..63d93f8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -46,6 +46,7 @@ class nginx ( $server_tokens = $nginx::params::nx_server_tokens, $client_max_body_size = $nginx::params::nx_client_max_body_size, $proxy_buffers = $nginx::params::nx_proxy_buffers, + $proxy_buffer_size = $nginx::params::nx_proxy_buffer_size, $http_cfg_append = $nginx::params::nx_http_cfg_append, $nginx_vhosts = {}, $nginx_upstreams = {}, @@ -72,6 +73,7 @@ class nginx ( server_tokens => $server_tokens, client_max_body_size => $client_max_body_size, proxy_buffers => $proxy_buffers, + proxy_buffer_size => $proxy_buffer_size, http_cfg_append => $http_cfg_append, require => Class['nginx::package'], notify => Class['nginx::service'], diff --git a/manifests/params.pp b/manifests/params.pp index 2b19b3b..a38abdb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -58,6 +58,7 @@ class nginx::params { $nx_proxy_read_timeout = '90' $nx_proxy_buffers = '32 4k' $nx_proxy_http_version = '1.0' + $nx_proxy_buffer_size = '8k' $nx_logdir = $::kernel ? { /(?i-mx:linux)/ => '/var/log/nginx', diff --git a/templates/conf.d/proxy.conf.erb b/templates/conf.d/proxy.conf.erb index af114ad..fcd7e1d 100644 --- a/templates/conf.d/proxy.conf.erb +++ b/templates/conf.d/proxy.conf.erb @@ -5,6 +5,7 @@ proxy_connect_timeout <%= scope.lookupvar('nginx::params::nx_proxy_connect_tim proxy_send_timeout <%= scope.lookupvar('nginx::params::nx_proxy_send_timeout') %>; proxy_read_timeout <%= scope.lookupvar('nginx::params::nx_proxy_read_timeout') %>; proxy_buffers <%= @proxy_buffers %>; +proxy_buffer_size <%= @proxy_buffer_size %>; proxy_http_version <%= @proxy_http_version %>; <% @proxy_set_header.each do |header| %> proxy_set_header <%= header %>;<% end %>