Merge pull request #212 from hdanes/ssl_dhparam

Add support for Diffie-Hellman (SSL) parameters in VHOST resource.
2013-12-30 09:39:41 -08:00 · 2013-12-30 09:39:41 -08:00 · 2b192933db
commit 2b192933db
parent 96475098eb 1d90dacfb3
2 changed files with 18 additions and 1 deletions
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -43,6 +43,9 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_dhparam*]         - This directive specifies a file containing
+#     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+#     format, utilized for exchanging session keys between server and client. 
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL
 #     Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL
@ -124,6 +127,7 @@ define nginx::resource::vhost (
  $add_header             = undef,
  $ssl                    = false,
  $ssl_cert               = undef,
+  $ssl_dhparam            = undef,
  $ssl_key                = undef,
  $ssl_port               = '443',
  $ssl_protocols          = 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
@ -178,6 +182,9 @@ define nginx::resource::vhost (
  if ($add_header != undef) {
    validate_hash($add_header)
  }
+  if ($ssl_dhparam != undef) {
+    validate_string($ssl_dhparam)
+  }
  if ($resolver != undef) {
    validate_string($resolver)
  }
@ -354,6 +361,13 @@ define nginx::resource::vhost (
      mode   => '0440',
      source => $ssl_key,
    })
+    if ($ssl_dhparam != undef) {
+      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
+        owner  => $nginx::params::nx_daemon_user,
+        mode   => '0440',
+        source => $ssl_dhparam,
+      })
+    }
    if ($ssl_stapling_file != undef) {
      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
        owner  => $nginx::params::nx_daemon_user,
@ -377,4 +391,4 @@ define nginx::resource::vhost (
    require => Concat[$config_file],
    notify  => Service['nginx'],
  }
-}
+}
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@ -9,6 +9,9 @@ server {

  ssl_certificate           <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
  ssl_certificate_key       <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_dhparam -%>
+  ssl_dhparam               <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
+<% end -%>
  ssl_session_cache         <%= @ssl_cache %>;
  ssl_session_timeout       5m;
  ssl_protocols             <%= @ssl_protocols %>;