This commit addresses issue #49, the lack of ways to set allow and

deny rules within a location.
2013-09-04 13:04:28 -04:00 · 2013-09-04 13:04:28 -04:00 · 39bc3f16ac
commit 39bc3f16ac
parent 43d2e86a20
4 changed files with 61 additions and 17 deletions
--- a/manifests/resource/location.pp
+++ b/manifests/resource/location.pp
@ -6,6 +6,8 @@
 #   [*ensure*]               - Enables or disables the specified location (present|absent)
 #   [*vhost*]                - Defines the default vHost for this location entry to include with
 #   [*location*]             - Specifies the URI associated with this location entry
+#   [*location_allow*]      - Array: Locations to allow connections from.
+#   [*location_deny*]       - Array: Locations to deny connections from.
 #   [*www_root*]             - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy
 #   [*index_files*]          - Default index files for NGINX to read when traversing a directory
 #   [*proxy*]                - Proxy server(s) for a location to connect to. Accepts a single value, can be used in conjunction
@ -82,6 +84,8 @@ define nginx::resource::location (
  $ssl                  = false,
  $ssl_only             = false,
  $location_alias       = undef,
+  $location_allow       = undef,
+  $location_deny        = undef,
  $option               = undef,
  $stub_status          = undef,
  $location_custom_cfg  = undef,
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -7,6 +7,8 @@
 #   [*listen_ip*]           - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
 #   [*listen_port*]         - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
 #   [*listen_options*]      - Extra options for listen directive like 'default' to catchall. Undef by default.
+#   [*location_allow*]      - Array: Locations to allow connections from.
+#   [*location_deny*]       - Array: Locations to deny connections from.
 #   [*ipv6_enable*]         - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
 #                             support exists on your system before enabling.
 #   [*ipv6_listen_ip*]      - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
@ -64,6 +66,8 @@ define nginx::resource::vhost (
  $listen_ip              = '*',
  $listen_port            = '80',
  $listen_options         = undef,
+  $location_allow         = [],
+  $location_deny          = [],
  $ipv6_enable            = false,
  $ipv6_listen_ip         = '::',
  $ipv6_listen_port       = '80',
@ -101,6 +105,9 @@ define nginx::resource::vhost (
  $include_files          = undef
 ) {

+  validate_array($location_allow)
+  validate_array($location_deny)
+
  File {
    ensure => $ensure ? {
      'absent' => absent,
@ -144,23 +151,25 @@ define nginx::resource::vhost (

  # Create the default location reference for the vHost
  nginx::resource::location {"${name}-default":
-    ensure               => $ensure,
-    vhost                => $name,
-    ssl                  => $ssl,
-    ssl_only             => $ssl_only,
-    location             => '/',
-    proxy                => $proxy,
-    proxy_read_timeout   => $proxy_read_timeout,
-    proxy_cache          => $proxy_cache,
-    proxy_cache_valid    => $proxy_cache_valid,
-    fastcgi              => $fastcgi,
-    fastcgi_params       => $fastcgi_params,
-    fastcgi_script       => $fastcgi_script,
-    try_files            => $try_files,
-    www_root             => $www_root,
-    index_files          => $index_files,
-    location_custom_cfg  => $location_custom_cfg,
-    notify               => Class['nginx::service'],
+    ensure              => $ensure,
+    vhost               => $name,
+    ssl                 => $ssl,
+    ssl_only            => $ssl_only,
+    location            => '/',
+    location_allow      => $location_allow,
+    location_deny       => $location_deny,
+    proxy               => $proxy,
+    proxy_read_timeout  => $proxy_read_timeout,
+    proxy_cache         => $proxy_cache,
+    proxy_cache_valid   => $proxy_cache_valid,
+    fastcgi             => $fastcgi,
+    fastcgi_params      => $fastcgi_params,
+    fastcgi_script      => $fastcgi_script,
+    try_files           => $try_files,
+    www_root            => $www_root,
+    index_files         => $index_files,
+    location_custom_cfg => $location_custom_cfg,
+    notify              => Class['nginx::service'],
  }

  # Support location_cfg_prepend and location_cfg_append on default location created by vhost
--- a/spec/defines/nginxresourcevhost_spec.rb
+++ b/spec/defines/nginxresourcevhost_spec.rb
@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe 'nginx::resource::vhost' do
+
+  describe 'applies allow and deny rules' do
+    let (:title) { 'test' }
+    let (:params) {{
+      :www_root       => '/var/www/nginx',
+      :location_allow => ['10.0.0.1', 'host1'],
+      :location_deny  => ['host2', '10.0.0.2']
+    }}
+
+    it 'applies location_allow rules' do
+      should contain_file('/nginx.d/test-500-test-default').with({
+        'content' => /allow 10.0.0.1\n  allow host1/
+      })
+    end
+    it 'applies location_deny rules' do
+      should contain_file('/nginx.d/test-500-test-default').with({
+        'content' => /deny host2\n  deny 10.0.0.2/
+      })
+    end
+  end
+
+end
--- a/templates/vhost/vhost_location_directory.erb
+++ b/templates/vhost/vhost_location_directory.erb
@ -1,4 +1,10 @@
  location <%= @location %> {
+<% if @location_allow -%><% @location_allow.each do |allow_rule| -%>
+  allow <%= allow_rule %>
+<% end -%><% end -%>
+<% if @location_deny -%><% @location_deny.each do |deny_rule| -%>
+  deny <%= deny_rule %>
+<% end -%><% end -%>
 <% if @location_cfg_prepend -%><% @location_cfg_prepend.sort_by {|k,v| k}.each do |key,value| -%>
    <%= key %> <%= value %>;
 <% end -%><% end -%>