opuppet/module-nginx
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #623 from 3flex/599-ssl-updates

Browse source 
SSL updates
This commit is contained in:
Matthew Haughton 2015-05-12 13:34:06 -04:00
commit 9d456955c2
3 changed files with 46 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
manifests/resource/vhost.pp
View file

@ -46,6 +46,7 @@
# for SSL Support. This is not generated by this module. # for SSL Support. This is not generated by this module.
# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference # [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference
# for client verify SSL Support. This is not generated by this module. # for client verify SSL Support. This is not generated by this module.
# [*ssl_crl*] - String: Specifies CRL path in file system
# [*ssl_dhparam*] - This directive specifies a file containing # [*ssl_dhparam*] - This directive specifies a file containing
# Diffie-Hellman key agreement protocol cryptographic parameters, in PEM # Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
# format, utilized for exchanging session keys between server and client. # format, utilized for exchanging session keys between server and client.
@ -178,6 +179,7 @@ define nginx::resource::vhost (
$ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2',
$ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', $ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
$ssl_cache = 'shared:SSL:10m', $ssl_cache = 'shared:SSL:10m',
$ssl_crl = undef,
$ssl_stapling = false, $ssl_stapling = false,
$ssl_stapling_file = undef, $ssl_stapling_file = undef,
$ssl_stapling_responder = undef, $ssl_stapling_responder = undef,
@ -280,6 +282,9 @@ define nginx::resource::vhost (
if ($ssl_client_cert != undef) { if ($ssl_client_cert != undef) {
validate_string($ssl_client_cert) validate_string($ssl_client_cert)
} }
if ($ssl_crl != undef) {
validate_string($ssl_crl)
}
validate_bool($ssl_listen_option) validate_bool($ssl_listen_option)
if ($ssl_dhparam != undef) { if ($ssl_dhparam != undef) {
validate_string($ssl_dhparam) validate_string($ssl_dhparam)
@ -630,49 +635,6 @@ define nginx::resource::vhost (
content => template('nginx/vhost/vhost_ssl_footer.erb'), content => template('nginx/vhost/vhost_ssl_footer.erb'),
order => '999', order => '999',
} }
#Generate ssl key/cert with provided file-locations
$cert = regsubst($name,' ','_', 'G')
# Check if the file has been defined before creating the file to
# avoid the error when using wildcard cert on the multiple vhosts
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.crt", {
owner => $::nginx::config::daemon_user,
mode => '0444',
source => $ssl_cert,
})
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
owner => $::nginx::config::daemon_user,
mode => '0444',
source => $ssl_client_cert,
})
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_key,
})
if ($ssl_dhparam != undef) {
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.dh.pem", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_dhparam,
})
}
if ($ssl_stapling_file != undef) {
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.ocsp.resp", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_stapling_file,
})
}
if ($ssl_trusted_cert != undef) {
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.trusted.crt", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_trusted_cert,
})
}
} }
file{ "${name_sanitized}.conf symlink": file{ "${name_sanitized}.conf symlink":

37
spec/defines/resource_vhost_spec.rb
View file

@ -428,6 +428,36 @@ describe 'nginx::resource::vhost' do
:value => false, :value => false,
:match => %r'\s+server_name\s+www.rspec.example.com;', :match => %r'\s+server_name\s+www.rspec.example.com;',
}, },
{
:title => 'should set the SSL client certificate file',
:attr => 'ssl_client_cert',
:value => '/tmp/client_certificate',
:match => %r'\s+ssl_client_certificate\s+/tmp/client_certificate;',
},
{
:title => 'should set the SSL CRL file',
:attr => 'ssl_crl',
:value => '/tmp/crl',
:match => %r'\s+ssl_crl\s+/tmp/crl;',
},
{
:title => 'should set the SSL DH parameters file',
:attr => 'ssl_dhparam',
:value => '/tmp/dhparam',
:match => %r'\s+ssl_dhparam\s+/tmp/dhparam;',
},
{
:title => 'should set the SSL stapling file',
:attr => 'ssl_stapling_file',
:value => '/tmp/stapling_file',
:match => %r'\s+ssl_stapling_file\s+/tmp/stapling_file;',
},
{
:title => 'should set the SSL trusted certificate file',
:attr => 'ssl_trusted_cert',
:value => '/tmp/trusted_certificate',
:match => %r'\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;',
},
{ {
:title => 'should set the SSL cache', :title => 'should set the SSL cache',
:attr => 'ssl_cache', :attr => 'ssl_cache',
@ -816,9 +846,9 @@ describe 'nginx::resource::vhost' do
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+dummy.cert;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+dummy.key;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") } it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") }
it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
end end
context 'when ssl_client_cert is set' do context 'when ssl_client_cert is set' do
@ -835,9 +865,6 @@ describe 'nginx::resource::vhost' do
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
end end
context 'when passenger_cgi_param is set' do context 'when passenger_cgi_param is set' do
let :params do default_params.merge({ let :params do default_params.merge({

15
templates/vhost/vhost_ssl_settings.erb
View file

@ -1,25 +1,28 @@
ssl on; ssl on;
ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key; ssl_certificate_key <%= @ssl_key %>;
<% if defined? @ssl_client_cert -%> <% if defined? @ssl_client_cert -%>
ssl_client_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt; ssl_client_certificate <%= @ssl_client_cert %>;
ssl_verify_client on; ssl_verify_client on;
<% end -%> <% end -%>
<% if defined? @ssl_dhparam -%> <% if defined? @ssl_dhparam -%>
ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem; ssl_dhparam <%= @ssl_dhparam %>;
<% end -%> <% end -%>
ssl_session_cache <%= @ssl_cache %>; ssl_session_cache <%= @ssl_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>; ssl_session_timeout <%= @ssl_session_timeout %>;
ssl_protocols <%= @ssl_protocols %>; ssl_protocols <%= @ssl_protocols %>;
ssl_ciphers <%= @ssl_ciphers %>; ssl_ciphers <%= @ssl_ciphers %>;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
<% if @ssl_crl -%>
ssl_crl <%= @ssl_crl %>;
<% end -%>
<%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%> <%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%>
<%- if @ssl_stapling -%> <%- if @ssl_stapling -%>
ssl_stapling on; ssl_stapling on;
<%- end -%> <%- end -%>
<%- if defined? @ssl_stapling_file -%> <%- if defined? @ssl_stapling_file -%>
ssl_stapling_file <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.ocsp.resp; ssl_stapling_file <%= @ssl_stapling_file %>;
<%- end -%> <%- end -%>
<%- if defined? @ssl_stapling_responder -%> <%- if defined? @ssl_stapling_responder -%>
ssl_stapling_responder <%= @ssl_stapling_responder %>; ssl_stapling_responder <%= @ssl_stapling_responder %>;
@ -28,7 +31,7 @@
ssl_stapling_verify on; ssl_stapling_verify on;
<%- end -%> <%- end -%>
<%- if defined? @ssl_trusted_cert -%> <%- if defined? @ssl_trusted_cert -%>
ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt; ssl_trusted_certificate <%= @ssl_trusted_cert %>;
<%- end -%> <%- end -%>
<% end -%> <% end -%>