From 3db6a726cbffe1876abfdf859c734fbc193cdd18 Mon Sep 17 00:00:00 2001
From: Harry Danes <harry@danes.eu>
Date: Fri, 27 Dec 2013 09:10:11 +0100
Subject: [PATCH] Add support for Diffie-Hellman parameters in VHOST resource.

---
 manifests/resource/vhost.pp          | 14 ++++++++++++++
 templates/vhost/vhost_ssl_header.erb |  3 +++
 2 files changed, 17 insertions(+)

diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
index 389e67e..95d36c6 100644
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@@ -41,6 +41,9 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_dhparam*]         - This directive specifies a file containing
+#     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+#     format, utilized for exchanging session keys between server and client. 
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL
 #     Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL
@@ -109,6 +112,7 @@ define nginx::resource::vhost (
   $add_header             = undef,
   $ssl                    = false,
   $ssl_cert               = undef,
+  $ssl_dhparam            = undef,
   $ssl_key                = undef,
   $ssl_port               = '443',
   $ssl_protocols          = 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
@@ -157,6 +161,9 @@ define nginx::resource::vhost (
   if ($add_header != undef) {
     validate_hash($add_header)
   }
+  if ($ssl_dhparam != undef) {
+    validate_string($ssl_dhparam)
+  }
 
   # Variables
   $vhost_dir = "${nginx::config::nx_conf_dir}/sites-available"
@@ -319,6 +326,13 @@ define nginx::resource::vhost (
       mode   => '0440',
       source => $ssl_key,
     })
+    if ($ssl_dhparam != undef) {
+      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
+        owner  => $nginx::params::nx_daemon_user,
+        mode   => '0440',
+        source => $ssl_dhparam,
+      })
+    }
   }
 
   file{ "${name_sanitized}.conf symlink":
diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb
index 0007517..fa79420 100644
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@@ -9,6 +9,9 @@ server {
 
   ssl_certificate           <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
   ssl_certificate_key       <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_dhparam -%>
+  ssl_dhparam               <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
+<% end -%>
   ssl_session_cache         <%= @ssl_cache %>;
   ssl_session_timeout       5m;
   ssl_protocols             <%= @ssl_protocols %>;