Merge pull request #48 from microcosm-cc/master

SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts
Este commit está contenido en:
James Fryman 2013-04-25 07:51:04 -07:00
commit 7b56556529
Se han modificado 13 ficheros con 53 adiciones y 47 borrados

Ver fichero

@ -17,7 +17,8 @@ class nginx::config(
$worker_processes = $nginx::params::nx_worker_processes,
$worker_connections = $nginx::params::nx_worker_connections,
$proxy_set_header = $nginx::params::nx_proxy_set_header,
$confd_purge = $nginx::params::nx_confd_purge
$confd_purge = $nginx::params::nx_confd_purge,
$server_tokens = $nginx::params::nx_server_tokens
) inherits nginx::params {
File {
owner => 'root',

Ver fichero

@ -35,7 +35,8 @@ class nginx (
$confd_purge = $nginx::params::nx_confd_purge,
$configtest_enable = $nginx::params::nx_configtest_enable,
$service_restart = $nginx::params::nx_service_restart,
$mail = $nginx::params::nx_mail
$mail = $nginx::params::nx_mail,
$server_tokens = $nginx::params::nx_server_tokens
) inherits nginx::params {
include stdlib
@ -45,12 +46,13 @@ class nginx (
}
class { 'nginx::config':
worker_processes => $worker_processes,
worker_connections => $worker_connections,
proxy_set_header => $proxy_set_header,
confd_purge => $confd_purge,
require => Class['nginx::package'],
notify => Class['nginx::service'],
worker_processes => $worker_processes,
worker_connections => $worker_connections,
proxy_set_header => $proxy_set_header,
confd_purge => $confd_purge,
server_tokens => $server_tokens,
require => Class['nginx::package'],
notify => Class['nginx::service'],
}
class { 'nginx::service':

Ver fichero

@ -21,15 +21,20 @@ class nginx::params {
$nx_confd_purge = false
$nx_worker_processes = 1
$nx_worker_connections = 1024
$nx_multi_accept = off
$nx_multi_accept = on
$nx_events_use = epoll # One of [kqueue|rtsig|epoll|/dev/poll|select|poll|eventport] or false to use OS default
$nx_sendfile = on
$nx_keepalive_timeout = 65
$nx_tcp_nodelay = on
$nx_gzip = on
$nx_server_tokens = off
$nx_spdy = on
$nx_ssl_stapling = on
$nx_proxy_redirect = off
$nx_proxy_set_header = [
'Host $host', 'X-Real-IP $remote_addr',
'Host $host',
'X-Real-IP $remote_addr',
'X-Forwarded-For $proxy_add_x_forwarded_for',
]
@ -51,7 +56,7 @@ class nginx::params {
}
$nx_daemon_user = $::operatingsystem ? {
/(?i-mx:debian|ubuntu)/ => 'www-data',
/(?i-mx:debian|ubuntu)/ => 'www-data',
/(?i-mx:fedora|rhel|redhat|centos|scientific|suse|opensuse|amazon)/ => 'nginx',
}

Ver fichero

@ -54,6 +54,7 @@ define nginx::resource::vhost (
$ssl_port = '443',
$proxy = undef,
$proxy_read_timeout = $nginx::params::nx_proxy_read_timeout,
$proxy_set_header = [],
$index_files = [
'index.html',
'index.htm',

Ver fichero

@ -14,19 +14,19 @@
#
# This class file is not called directly
class nginx::service(
$configtest_enable = $nginx::params::nx_configtest_enable,
$service_restart = $nginx::params::nx_service_restart
$configtest_enable = $nginx::params::nx_configtest_enable,
$service_restart = $nginx::params::nx_service_restart
) {
exec { 'rebuild-nginx-vhosts':
command => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.d/* > ${nginx::params::nx_conf_dir}/conf.d/vhost_autogen.conf",
refreshonly => true,
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
subscribe => File["${nginx::params::nx_temp_dir}/nginx.d"],
}
exec { 'rebuild-nginx-mailhosts':
command => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.mail.d/* > ${nginx::params::nx_conf_dir}/conf.mail.d/vhost_autogen.conf",
refreshonly => true,
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
unless => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
subscribe => File["${nginx::params::nx_temp_dir}/nginx.mail.d"],
}
service { "nginx":

Ver fichero

@ -7,6 +7,7 @@ pid <%= scope.lookupvar('nginx::params::nx_pid')%>;
events {
worker_connections <%= worker_connections %>;
<% if scope.lookupvar('nginx::params::nx_multi_accept') == 'on' %>multi_accept on;<% end %>
<% if scope.lookupvar('nginx::params::nx_events_use') %>use <%= scope.lookupvar('nginx::params::nx_events_use')%>;<% end %>
}
http {
@ -17,9 +18,8 @@ http {
sendfile <%= scope.lookupvar('nginx::params::nx_sendfile')%>;
<% if scope.lookupvar('nginx::params::nx_tcp_nopush') == 'on' %>
tcp_nopush on;
<% end %>
server_tokens <%= server_tokens %>;
<% if scope.lookupvar('nginx::params::nx_tcp_nopush') == 'on' %>tcp_nopush on;<% end %>
keepalive_timeout <%= scope.lookupvar('nginx::params::nx_keepalive_timeout')%>;
tcp_nodelay <%= scope.lookupvar('nginx::params::nx_tcp_nodelay')%>;

Ver fichero

@ -6,5 +6,4 @@ proxy_send_timeout <%= scope.lookupvar('nginx::params::nx_proxy_send_timeou
proxy_read_timeout <%= scope.lookupvar('nginx::params::nx_proxy_read_timeout') %>;
proxy_buffers <%= scope.lookupvar('nginx::params::nx_proxy_buffers') %>;
<% proxy_set_header.each do |header| %>
proxy_set_header <%= header %>;
<% end %>
proxy_set_header <%= header %>;<% end %>

Ver fichero

@ -1,8 +1,6 @@
upstream <%= name %> {
<% if @upstream_cfg_prepend -%><% upstream_cfg_prepend.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
<%= key %> <%= value %>;<% end -%><% end -%>
<% members.each do |i| %>
server <%= i %>;
<% end %>
server <%= i %>;<% end %>
}

Ver fichero

@ -6,3 +6,6 @@ server {
<% end %>
server_name <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>;
access_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/<%= name %>.access.log;
<% proxy_set_header.each do |header| %>
proxy_set_header <%= header %>;<% end %>

Ver fichero

@ -1,9 +1,7 @@
location <%= location %> {
<% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
alias <%= location_alias %>;
<%= key %> <%= value %>;<% end -%><% end -%>
alias <%= location_alias %>;
<% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
<%= key %> <%= value %>;<% end -%><% end -%>
}

Ver fichero

@ -1,10 +1,8 @@
location <%= location %> {
<% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
proxy_pass <%= proxy %>;
<%= key %> <%= value %>;<% end -%><% end -%>
proxy_pass <%= proxy %>;
proxy_read_timeout <%= proxy_read_timeout %>;
<% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
<%= key %> <%= value %>;<% end -%><% end -%>
}

Ver fichero

@ -1,9 +1,7 @@
location <%= location %> {
<% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
<%= key %> <%= value %>;<% end -%><% end -%>
stub_status on;
<% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
<%= key %> <%= value %>;
<% end -%><% end -%>
<%= key %> <%= value %>;<% end -%><% end -%>
}

Ver fichero

@ -1,16 +1,19 @@
server {
listen <%= ssl_port %>;
listen <%= ssl_port %><% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %> ssl spdy<% end %>;
<% if ipv6_enable == 'true' && (defined? ipaddress6) %>
listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on;
<% end %>
server_name <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>;
ssl on;
ssl_certificate <%= ssl_cert %>;
ssl_certificate_key <%= ssl_key %>;
ssl on;
ssl_certificate <%= ssl_cert %>;
ssl_certificate_key <%= ssl_key %>;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
<% if scope.lookupvar('nginx::params::nx_ssl_stapling') == 'on' %>ssl_stapling on;<% end %>
<% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %>spdy_headers_comp 1;<% end %>
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
<% proxy_set_header.each do |header| %>
proxy_set_header <%= header %>;<% end %>