Add support for Diffie-Hellman parameters in VHOST resource.

2013-12-27 09:10:11 +01:00 · 2013-12-27 09:10:11 +01:00 · 3db6a726cb
commit 3db6a726cb
parent 7d1540b3bb
2 changed files with 17 additions and 0 deletions
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -41,6 +41,9 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_dhparam*]         - This directive specifies a file containing
+#     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+#     format, utilized for exchanging session keys between server and client. 
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL
 #     Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL
@ -109,6 +112,7 @@ define nginx::resource::vhost (
  $add_header             = undef,
  $ssl                    = false,
  $ssl_cert               = undef,
+  $ssl_dhparam            = undef,
  $ssl_key                = undef,
  $ssl_port               = '443',
  $ssl_protocols          = 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
@ -157,6 +161,9 @@ define nginx::resource::vhost (
  if ($add_header != undef) {
    validate_hash($add_header)
  }
+  if ($ssl_dhparam != undef) {
+    validate_string($ssl_dhparam)
+  }

  # Variables
  $vhost_dir = "${nginx::config::nx_conf_dir}/sites-available"
@ -319,6 +326,13 @@ define nginx::resource::vhost (
      mode   => '0440',
      source => $ssl_key,
    })
+    if ($ssl_dhparam != undef) {
+      ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
+        owner  => $nginx::params::nx_daemon_user,
+        mode   => '0440',
+        source => $ssl_dhparam,
+      })
+    }
  }

  file{ "${name_sanitized}.conf symlink":
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@ -9,6 +9,9 @@ server {

  ssl_certificate           <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
  ssl_certificate_key       <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_dhparam -%>
+  ssl_dhparam               <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
+<% end -%>
  ssl_session_cache         <%= @ssl_cache %>;
  ssl_session_timeout       5m;
  ssl_protocols             <%= @ssl_protocols %>;