Merge pull request #48 from microcosm-cc/master

SSL improvements (default ciphers & caching), server_tokens option, and proxy_set_headers for vhosts

manifests/config.pp

@@ -17,7 +17,8 @@ class nginx::config(
   $worker_processes    = $nginx::params::nx_worker_processes,
   $worker_connections  = $nginx::params::nx_worker_connections,
   $proxy_set_header    = $nginx::params::nx_proxy_set_header,
-  $confd_purge         = $nginx::params::nx_confd_purge
+  $confd_purge         = $nginx::params::nx_confd_purge,
+  $server_tokens       = $nginx::params::nx_server_tokens
 ) inherits nginx::params {
   File {
     owner => 'root',

manifests/init.pp

@@ -35,7 +35,8 @@ class nginx (
   $confd_purge        = $nginx::params::nx_confd_purge,
   $configtest_enable  = $nginx::params::nx_configtest_enable,
   $service_restart    = $nginx::params::nx_service_restart,
-  $mail               = $nginx::params::nx_mail
+  $mail               = $nginx::params::nx_mail,
+  $server_tokens      = $nginx::params::nx_server_tokens
 ) inherits nginx::params {
 
   include stdlib
@@ -45,12 +46,13 @@ class nginx (
   }
 
   class { 'nginx::config':
-    worker_processes 	=> $worker_processes,
-    worker_connections 	=> $worker_connections,
-    proxy_set_header 	=> $proxy_set_header,
-    confd_purge         => $confd_purge,
-    require 		=> Class['nginx::package'],
-    notify  		=> Class['nginx::service'],
+    worker_processes   => $worker_processes,
+    worker_connections => $worker_connections,
+    proxy_set_header   => $proxy_set_header,
+    confd_purge        => $confd_purge,
+    server_tokens      => $server_tokens,
+    require            => Class['nginx::package'],
+    notify             => Class['nginx::service'],
   }
 
   class { 'nginx::service': 

manifests/params.pp

@@ -21,15 +21,20 @@ class nginx::params {
   $nx_confd_purge        = false
   $nx_worker_processes   = 1
   $nx_worker_connections = 1024
-  $nx_multi_accept       = off
+  $nx_multi_accept       = on
+  $nx_events_use         = epoll # One of [kqueue|rtsig|epoll|/dev/poll|select|poll|eventport] or false to use OS default
   $nx_sendfile           = on
   $nx_keepalive_timeout  = 65
   $nx_tcp_nodelay        = on
   $nx_gzip               = on
+  $nx_server_tokens      = off
+  $nx_spdy               = on
+  $nx_ssl_stapling       = on
 
   $nx_proxy_redirect          = off
   $nx_proxy_set_header        = [
-    'Host $host', 'X-Real-IP $remote_addr',
+    'Host $host',
+    'X-Real-IP $remote_addr',
     'X-Forwarded-For $proxy_add_x_forwarded_for',
   ]
 
@@ -51,7 +56,7 @@ class nginx::params {
   }
 
   $nx_daemon_user = $::operatingsystem ? {
-    /(?i-mx:debian|ubuntu)/                                      => 'www-data',
+    /(?i-mx:debian|ubuntu)/                                             => 'www-data',
     /(?i-mx:fedora|rhel|redhat|centos|scientific|suse|opensuse|amazon)/ => 'nginx',
   }
 

manifests/resource/vhost.pp

@@ -54,6 +54,7 @@ define nginx::resource::vhost (
   $ssl_port               = '443',
   $proxy                  = undef,
   $proxy_read_timeout     = $nginx::params::nx_proxy_read_timeout,
+  $proxy_set_header       = [],
   $index_files            = [
     'index.html',
     'index.htm',

manifests/service.pp

@@ -14,19 +14,19 @@
 #
 # This class file is not called directly
 class nginx::service(
-  $configtest_enable   = $nginx::params::nx_configtest_enable,
-  $service_restart     = $nginx::params::nx_service_restart
+  $configtest_enable = $nginx::params::nx_configtest_enable,
+  $service_restart   = $nginx::params::nx_service_restart
 ) {
   exec { 'rebuild-nginx-vhosts':
     command     => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.d/* > ${nginx::params::nx_conf_dir}/conf.d/vhost_autogen.conf",
     refreshonly => true,
-    unless	=> "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
+    unless      => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
     subscribe   => File["${nginx::params::nx_temp_dir}/nginx.d"],
   }
   exec { 'rebuild-nginx-mailhosts':
     command     => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.mail.d/* > ${nginx::params::nx_conf_dir}/conf.mail.d/vhost_autogen.conf",
     refreshonly => true,
-    unless	=> "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
+    unless      => "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
     subscribe   => File["${nginx::params::nx_temp_dir}/nginx.mail.d"],
   }
   service { "nginx":

templates/conf.d/nginx.conf.erb

@@ -7,6 +7,7 @@ pid        <%= scope.lookupvar('nginx::params::nx_pid')%>;
 events {
   worker_connections <%= worker_connections %>;
   <% if scope.lookupvar('nginx::params::nx_multi_accept') == 'on' %>multi_accept on;<% end %>
+  <% if scope.lookupvar('nginx::params::nx_events_use') %>use <%= scope.lookupvar('nginx::params::nx_events_use')%>;<% end %>
 }
 
 http {
@@ -17,9 +18,8 @@ http {
 
   sendfile    <%= scope.lookupvar('nginx::params::nx_sendfile')%>;
 
-  <% if scope.lookupvar('nginx::params::nx_tcp_nopush') == 'on' %>
-  tcp_nopush  on;
-  <% end %>
+  server_tokens <%= server_tokens %>;
+  <% if scope.lookupvar('nginx::params::nx_tcp_nopush') == 'on' %>tcp_nopush on;<% end %>
 
   keepalive_timeout  <%= scope.lookupvar('nginx::params::nx_keepalive_timeout')%>;
   tcp_nodelay        <%= scope.lookupvar('nginx::params::nx_tcp_nodelay')%>;

templates/conf.d/proxy.conf.erb

@@ -6,5 +6,4 @@ proxy_send_timeout      <%= scope.lookupvar('nginx::params::nx_proxy_send_timeou
 proxy_read_timeout      <%= scope.lookupvar('nginx::params::nx_proxy_read_timeout') %>;
 proxy_buffers           <%= scope.lookupvar('nginx::params::nx_proxy_buffers') %>;
 <% proxy_set_header.each do |header| %>
-proxy_set_header        <%= header %>;
-<% end %>
+proxy_set_header        <%= header %>;<% end %>

templates/conf.d/upstream.erb

@@ -1,8 +1,6 @@
 upstream <%= name %> {
 <% if @upstream_cfg_prepend -%><% upstream_cfg_prepend.each do |key,value| -%>
-  <%= key %> <%= value %>;
-<% end -%><% end -%>
+  <%= key %> <%= value %>;<% end -%><% end -%>
   <% members.each do |i| %>
-  server <%= i %>;
-  <% end %>
+  server     <%= i %>;<% end %>
 }

templates/vhost/vhost_header.erb

@@ -6,3 +6,6 @@ server {
   <% end %>
   server_name           <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>;
   access_log            <%= scope.lookupvar('nginx::params::nx_logdir')%>/<%= name %>.access.log;
+
+  <% proxy_set_header.each do |header| %>
+  proxy_set_header        <%= header %>;<% end %>

templates/vhost/vhost_location_alias.erb

@@ -1,9 +1,7 @@
   location <%= location %> {
 <% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
-    <%= key %> <%= value %>;
-<% end -%><% end -%>
-    alias  <%= location_alias %>;
+    <%= key %> <%= value %>;<% end -%><% end -%>
+    alias      <%= location_alias %>;
 <% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
-    <%= key %> <%= value %>;
-<% end -%><% end -%>
+    <%= key %> <%= value %>;<% end -%><% end -%>
   }

templates/vhost/vhost_location_proxy.erb

@@ -1,10 +1,8 @@
   location <%= location %> {
 <% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
-    <%= key %> <%= value %>;
-<% end -%><% end -%>
-    proxy_pass <%= proxy %>;
+    <%= key %>         <%= value %>;<% end -%><% end -%>
+    proxy_pass         <%= proxy %>;
     proxy_read_timeout <%= proxy_read_timeout %>;
 <% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
-    <%= key %> <%= value %>;
-<% end -%><% end -%>
+    <%= key %>         <%= value %>;<% end -%><% end -%>
   }

templates/vhost/vhost_location_stub_status.erb

@@ -1,9 +1,7 @@
   location <%= location %> {
 <% if @location_cfg_prepend -%><% location_cfg_prepend.each do |key,value| -%>
-    <%= key %> <%= value %>;
-<% end -%><% end -%>
+    <%= key %>  <%= value %>;<% end -%><% end -%>
     stub_status on;
 <% if @location_cfg_append -%><% location_cfg_append.each do |key,value| -%>
-    <%= key %> <%= value %>;
-<% end -%><% end -%>
+    <%= key %>  <%= value %>;<% end -%><% end -%>
   }

templates/vhost/vhost_ssl_header.erb

@@ -1,16 +1,19 @@
 server {
-  listen       <%= ssl_port %>;
+  listen       <%= ssl_port %><% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %> ssl spdy<% end %>;
   <% if ipv6_enable == 'true' && (defined? ipaddress6) %>
   listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on;
   <% end %>
   server_name  <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>;
 
-  ssl on;
-  ssl_certificate      <%= ssl_cert %>;
-  ssl_certificate_key  <%= ssl_key %>;
+  ssl                       on;
+  ssl_certificate           <%= ssl_cert %>;
+  ssl_certificate_key       <%= ssl_key %>;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_timeout       10m;
+  ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers on;
+  <% if scope.lookupvar('nginx::params::nx_ssl_stapling') == 'on' %>ssl_stapling              on;<% end %>
+  <% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %>spdy_headers_comp         1;<% end %>
 
-  ssl_session_timeout  5m;
-
-  ssl_protocols  SSLv3 TLSv1;
-  ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
-  ssl_prefer_server_ciphers   on;
+  <% proxy_set_header.each do |header| %>
+  proxy_set_header        <%= header %>;<% end %>