opuppet/module-nginx
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

vhost: don't copy any SSL files

Browse source
This commit is contained in:
Matthew Haughton 2015-04-14 12:35:50 -04:00 committed by Matthew Haughton
parent 086510c520
commit be4decdb78
3 changed files with 32 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
manifests/resource/vhost.pp
View file

@ -630,49 +630,6 @@ define nginx::resource::vhost (
content => template('nginx/vhost/vhost_ssl_footer.erb'),
order => '999',
}
#Generate ssl key/cert with provided file-locations
$cert = regsubst($name,' ','_', 'G')
# Check if the file has been defined before creating the file to
# avoid the error when using wildcard cert on the multiple vhosts
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.crt", {
owner => $::nginx::config::daemon_user,
mode => '0444',
source => $ssl_cert,
})
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
owner => $::nginx::config::daemon_user,
mode => '0444',
source => $ssl_client_cert,
})
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_key,
})
if ($ssl_dhparam != undef) {
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.dh.pem", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_dhparam,
})
}
if ($ssl_stapling_file != undef) {
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.ocsp.resp", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_stapling_file,
})
}
if ($ssl_trusted_cert != undef) {
ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.trusted.crt", {
owner => $::nginx::config::daemon_user,
mode => '0440',
source => $ssl_trusted_cert,
})
}
}
file{ "${name_sanitized}.conf symlink":

31
spec/defines/resource_vhost_spec.rb
View file

@ -428,6 +428,30 @@ describe 'nginx::resource::vhost' do
:value => false,
:match => %r'\s+server_name\s+www.rspec.example.com;',
},
{
:title => 'should set the SSL client certificate file',
:attr => 'ssl_client_cert',
:value => '/tmp/client_certificate',
:match => %r'\s+ssl_client_certificate\s+/tmp/client_certificate;',
},
{
:title => 'should set the SSL DH parameters file',
:attr => 'ssl_dhparam',
:value => '/tmp/dhparam',
:match => %r'\s+ssl_dhparam\s+/tmp/dhparam;',
},
{
:title => 'should set the SSL stapling file',
:attr => 'ssl_stapling_file',
:value => '/tmp/stapling_file',
:match => %r'\s+ssl_stapling_file\s+/tmp/stapling_file;',
},
{
:title => 'should set the SSL trusted certificate file',
:attr => 'ssl_trusted_cert',
:value => '/tmp/trusted_certificate',
:match => %r'\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;',
},
{
:title => 'should set the SSL cache',
:attr => 'ssl_cache',
@ -816,9 +840,9 @@ describe 'nginx::resource::vhost' do
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+dummy.cert;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+dummy.key;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") }
it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
end
context 'when ssl_client_cert is set' do
@ -835,9 +859,6 @@ describe 'nginx::resource::vhost' do
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
it { is_expected.to contain_file("/etc/nginx/#{title}.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.client.crt") }
it { is_expected.to contain_file("/etc/nginx/#{title}.key") }
end
context 'when passenger_cgi_param is set' do
let :params do default_params.merge({

12
templates/vhost/vhost_ssl_settings.erb
View file

@ -1,13 +1,13 @@
ssl on;
ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% if defined? @ssl_client_cert -%>
ssl_client_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt;
ssl_client_certificate <%= @ssl_client_cert %>;
ssl_verify_client on;
<% end -%>
<% if defined? @ssl_dhparam -%>
ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
ssl_dhparam <%= @ssl_dhparam %>;
<% end -%>
ssl_session_cache <%= @ssl_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
@ -19,7 +19,7 @@
ssl_stapling on;
<%- end -%>
<%- if defined? @ssl_stapling_file -%>
ssl_stapling_file <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.ocsp.resp;
ssl_stapling_file <%= @ssl_stapling_file %>;
<%- end -%>
<%- if defined? @ssl_stapling_responder -%>
ssl_stapling_responder <%= @ssl_stapling_responder %>;
@ -28,7 +28,7 @@
ssl_stapling_verify on;
<%- end -%>
<%- if defined? @ssl_trusted_cert -%>
ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt;
ssl_trusted_certificate <%= @ssl_trusted_cert %>;
<%- end -%>
<% end -%>