opuppet/module-nginx
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #582 from jamescarr/support-ssl-client-verify

Browse source 
Support ssl client verify
This commit is contained in:
James Fryman 2015-03-23 15:05:39 -05:00
commit acaa4e99ee
4 changed files with 51 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
manifests/resource/vhost.pp
View file

@ -44,6 +44,8 @@
# vhost. # vhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference # [*ssl_cert*] - Pre-generated SSL Certificate file to reference
# for SSL Support. This is not generated by this module. # for SSL Support. This is not generated by this module.
# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference
# for client verify SSL Support. This is not generated by this module.
# [*ssl_dhparam*] - This directive specifies a file containing # [*ssl_dhparam*] - This directive specifies a file containing
# Diffie-Hellman key agreement protocol cryptographic parameters, in PEM # Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
# format, utilized for exchanging session keys between server and client. # format, utilized for exchanging session keys between server and client.
@ -162,6 +164,7 @@ define nginx::resource::vhost (
$ssl = false, $ssl = false,
$ssl_listen_option = true, $ssl_listen_option = true,
$ssl_cert = undef, $ssl_cert = undef,
$ssl_client_cert = undef,
$ssl_dhparam = undef, $ssl_dhparam = undef,
$ssl_key = undef, $ssl_key = undef,
$ssl_port = '443', $ssl_port = '443',
@ -262,6 +265,9 @@ define nginx::resource::vhost (
if ($ssl_cert != undef) { if ($ssl_cert != undef) {
validate_string($ssl_cert) validate_string($ssl_cert)
} }
if ($ssl_client_cert != undef) {
validate_string($ssl_client_cert)
}
validate_bool($ssl_listen_option) validate_bool($ssl_listen_option)
if ($ssl_dhparam != undef) { if ($ssl_dhparam != undef) {
validate_string($ssl_dhparam) validate_string($ssl_dhparam)
@ -605,6 +611,12 @@ define nginx::resource::vhost (
mode => '0444', mode => '0444',
source => $ssl_cert, source => $ssl_cert,
}) })
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
owner => $::nginx::config::daemon_user,
mode => '0444',
source => $ssl_client_cert,
})
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", { ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
owner => $::nginx::config::daemon_user, owner => $::nginx::config::daemon_user,
mode => '0440', mode => '0440',

18
spec/defines/resource_vhost_spec.rb
View file

@ -812,6 +812,24 @@ describe 'nginx::resource::vhost' do
it { is_expected.to contain_file("/etc/nginx/#{title}.key") } it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
end end
context 'when ssl_client_cert is set' do
let :params do default_params.merge({
:ssl => true,
:listen_port => 80,
:ssl_port => 80,
:ssl_key => 'dummy.key',
:ssl_cert => 'dummy.cert',
:ssl_client_cert => 'client.cert',
}) end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
end
context 'when passenger_cgi_param is set' do context 'when passenger_cgi_param is set' do
let :params do default_params.merge({ let :params do default_params.merge({
:passenger_cgi_param => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' } :passenger_cgi_param => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }

4
templates/vhost/vhost_ssl_header.erb
View file

@ -46,6 +46,10 @@ server {
ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt; ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key; ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
<% if defined? @ssl_client_cert -%>
ssl_client_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt;
ssl_verify_client on;
<% end -%>
<% if defined? @ssl_dhparam -%> <% if defined? @ssl_dhparam -%>
ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem; ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
<% end -%> <% end -%>

17
tests/vhost_ssl.pp
View file

@ -1,5 +1,14 @@
include nginx include nginx
nginx::resource::vhost { 'test3.local test3':
ensure => present,
www_root => '/var/www/nginx-default',
ssl => true,
ssl_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
ssl_client_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
ssl_key => 'puppet:///modules/sslkey/whildcard_mydomain.key'
}
nginx::resource::vhost { 'test2.local test2': nginx::resource::vhost { 'test2.local test2':
ensure => present, ensure => present,
www_root => '/var/www/nginx-default', www_root => '/var/www/nginx-default',
@ -15,3 +24,11 @@ nginx::resource::location { 'test2.local-bob':
vhost => 'test2.local test2', vhost => 'test2.local test2',
} }
nginx::resource::location { 'test3.local-bob':
ensure => present,
www_root => '/var/www/bob',
location => '/bob',
vhost => 'test3.local test3',
}