From 39bc3f16ac60914e9be25c0670a4c672c0f0f287 Mon Sep 17 00:00:00 2001 From: Ashley Penney Date: Wed, 4 Sep 2013 13:04:28 -0400 Subject: [PATCH] This commit addresses issue #49, the lack of ways to set allow and deny rules within a location. --- manifests/resource/location.pp | 4 ++ manifests/resource/vhost.pp | 43 ++++++++++++-------- spec/defines/nginx__resource__vhost_spec.rb | 25 ++++++++++++ templates/vhost/vhost_location_directory.erb | 6 +++ 4 files changed, 61 insertions(+), 17 deletions(-) create mode 100644 spec/defines/nginx__resource__vhost_spec.rb diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 8f2c7c8..3018dcb 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -6,6 +6,8 @@ # [*ensure*] - Enables or disables the specified location (present|absent) # [*vhost*] - Defines the default vHost for this location entry to include with # [*location*] - Specifies the URI associated with this location entry +# [*location_allow*] - Array: Locations to allow connections from. +# [*location_deny*] - Array: Locations to deny connections from. # [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy # [*index_files*] - Default index files for NGINX to read when traversing a directory # [*proxy*] - Proxy server(s) for a location to connect to. Accepts a single value, can be used in conjunction @@ -82,6 +84,8 @@ define nginx::resource::location ( $ssl = false, $ssl_only = false, $location_alias = undef, + $location_allow = undef, + $location_deny = undef, $option = undef, $stub_status = undef, $location_custom_cfg = undef, diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index f5005d0..dab55ca 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -7,6 +7,8 @@ # [*listen_ip*] - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*) # [*listen_port*] - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80 # [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. +# [*location_allow*] - Array: Locations to allow connections from. +# [*location_deny*] - Array: Locations to deny connections from. # [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 # support exists on your system before enabling. # [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::) @@ -64,6 +66,8 @@ define nginx::resource::vhost ( $listen_ip = '*', $listen_port = '80', $listen_options = undef, + $location_allow = [], + $location_deny = [], $ipv6_enable = false, $ipv6_listen_ip = '::', $ipv6_listen_port = '80', @@ -101,6 +105,9 @@ define nginx::resource::vhost ( $include_files = undef ) { + validate_array($location_allow) + validate_array($location_deny) + File { ensure => $ensure ? { 'absent' => absent, @@ -144,23 +151,25 @@ define nginx::resource::vhost ( # Create the default location reference for the vHost nginx::resource::location {"${name}-default": - ensure => $ensure, - vhost => $name, - ssl => $ssl, - ssl_only => $ssl_only, - location => '/', - proxy => $proxy, - proxy_read_timeout => $proxy_read_timeout, - proxy_cache => $proxy_cache, - proxy_cache_valid => $proxy_cache_valid, - fastcgi => $fastcgi, - fastcgi_params => $fastcgi_params, - fastcgi_script => $fastcgi_script, - try_files => $try_files, - www_root => $www_root, - index_files => $index_files, - location_custom_cfg => $location_custom_cfg, - notify => Class['nginx::service'], + ensure => $ensure, + vhost => $name, + ssl => $ssl, + ssl_only => $ssl_only, + location => '/', + location_allow => $location_allow, + location_deny => $location_deny, + proxy => $proxy, + proxy_read_timeout => $proxy_read_timeout, + proxy_cache => $proxy_cache, + proxy_cache_valid => $proxy_cache_valid, + fastcgi => $fastcgi, + fastcgi_params => $fastcgi_params, + fastcgi_script => $fastcgi_script, + try_files => $try_files, + www_root => $www_root, + index_files => $index_files, + location_custom_cfg => $location_custom_cfg, + notify => Class['nginx::service'], } # Support location_cfg_prepend and location_cfg_append on default location created by vhost diff --git a/spec/defines/nginx__resource__vhost_spec.rb b/spec/defines/nginx__resource__vhost_spec.rb new file mode 100644 index 0000000..ff17db7 --- /dev/null +++ b/spec/defines/nginx__resource__vhost_spec.rb @@ -0,0 +1,25 @@ +require 'spec_helper' + +describe 'nginx::resource::vhost' do + + describe 'applies allow and deny rules' do + let (:title) { 'test' } + let (:params) {{ + :www_root => '/var/www/nginx', + :location_allow => ['10.0.0.1', 'host1'], + :location_deny => ['host2', '10.0.0.2'] + }} + + it 'applies location_allow rules' do + should contain_file('/nginx.d/test-500-test-default').with({ + 'content' => /allow 10.0.0.1\n allow host1/ + }) + end + it 'applies location_deny rules' do + should contain_file('/nginx.d/test-500-test-default').with({ + 'content' => /deny host2\n deny 10.0.0.2/ + }) + end + end + +end diff --git a/templates/vhost/vhost_location_directory.erb b/templates/vhost/vhost_location_directory.erb index 61705d3..09aa209 100644 --- a/templates/vhost/vhost_location_directory.erb +++ b/templates/vhost/vhost_location_directory.erb @@ -1,4 +1,10 @@ location <%= @location %> { +<% if @location_allow -%><% @location_allow.each do |allow_rule| -%> + allow <%= allow_rule %> +<% end -%><% end -%> +<% if @location_deny -%><% @location_deny.each do |deny_rule| -%> + deny <%= deny_rule %> +<% end -%><% end -%> <% if @location_cfg_prepend -%><% @location_cfg_prepend.sort_by {|k,v| k}.each do |key,value| -%> <%= key %> <%= value %>; <% end -%><% end -%>