From e333db6c39ca2bac0df03c9cc17024207075c970 Mon Sep 17 00:00:00 2001
From: "James R. Carr" <james.r.carr@gmail.com>
Date: Mon, 23 Mar 2015 13:59:30 -0500
Subject: [PATCH] provides ssl_client_verify support

---
 manifests/resource/vhost.pp          | 12 ++++++++++++
 templates/vhost/vhost_ssl_header.erb |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
index ab2cd21..a593533 100644
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@@ -44,6 +44,8 @@
 #     vhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference
 #     for SSL Support. This is not generated by this module.
+#   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
+#     for client verify SSL Support. This is not generated by this module.
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
 #     format, utilized for exchanging session keys between server and client.
@@ -162,6 +164,7 @@ define nginx::resource::vhost (
   $ssl                          = false,
   $ssl_listen_option            = true,
   $ssl_cert                     = undef,
+  $ssl_client_cert              = undef,
   $ssl_dhparam                  = undef,
   $ssl_key                      = undef,
   $ssl_port                     = '443',
@@ -262,6 +265,9 @@ define nginx::resource::vhost (
   if ($ssl_cert != undef) {
     validate_string($ssl_cert)
   }
+  if ($ssl_client_cert != undef) {
+    validate_string($ssl_cert)
+  }
   validate_bool($ssl_listen_option)
   if ($ssl_dhparam != undef) {
     validate_string($ssl_dhparam)
@@ -605,6 +611,12 @@ define nginx::resource::vhost (
       mode   => '0444',
       source => $ssl_cert,
     })
+
+    ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.client.crt", {
+      owner  => $::nginx::config::daemon_user,
+      mode   => '0444',
+      source => $ssl_client_cert,
+    })
     ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", {
       owner  => $::nginx::config::daemon_user,
       mode   => '0440',
diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb
index 09c8aa1..a59317b 100644
--- a/templates/vhost/vhost_ssl_header.erb
+++ b/templates/vhost/vhost_ssl_header.erb
@@ -46,6 +46,10 @@ server {
 
   ssl_certificate           <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt;
   ssl_certificate_key       <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key;
+<% if defined? @ssl_client_cert -%>
+  ssl_client_certificate    <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.client.crt;
+  ssl_verify_client on;
+<% end -%>
 <% if defined? @ssl_dhparam -%>
   ssl_dhparam               <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem;
 <% end -%>