provides ssl_client_verify support

2015-03-23 13:59:30 -05:00 · 2015-03-23 13:59:30 -05:00 · e333db6c39
commit e333db6c39
parent 13b2e4493d
2 changed files with 16 additions and 0 deletions
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -44,6 +44,8 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
+#     for client verify SSL Support. This is not generated by this module.
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
 #     format, utilized for exchanging session keys between server and client.
@ -162,6 +164,7 @@ define nginx::resource::vhost (
  $ssl                          = false,
  $ssl_listen_option            = true,
  $ssl_cert                     = undef,
+  $ssl_client_cert              = undef,
  $ssl_dhparam                  = undef,
  $ssl_key                      = undef,
  $ssl_port                     = '443',
@ -262,6 +265,9 @@ define nginx::resource::vhost (
  if ($ssl_cert != undef) {
    validate_string($ssl_cert)
  }
+  if ($ssl_client_cert != undef) {
+    validate_string($ssl_cert)
+  }
  validate_bool($ssl_listen_option)
  if ($ssl_dhparam != undef) {
    validate_string($ssl_dhparam)
@ -605,6 +611,12 @@ define nginx::resource::vhost (
      mode   => '0444',
      source => $ssl_cert,
    })
+
+    ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
+      owner  => $::nginx::config::daemon_user,
+      mode   => '0444',
+      source => $ssl_client_cert,
+    })
    ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
      owner  => $::nginx::config::daemon_user,
      mode   => '0440',
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@ -46,6 +46,10 @@ server {

  ssl_certificate           <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
  ssl_certificate_key       <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_client_cert -%>
+  ssl_client_certificate    <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt;
+  ssl_verify_client on;
+<% end -%>
 <% if defined? @ssl_dhparam -%>
  ssl_dhparam               <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
 <% end -%>