Page MenuHomeSoftware Heritage
Files F9697387

No OneTemporary
Actions

View Options

diff --git a/manifests/config.pp b/manifests/config.pp
index d5b5f2f..b0e5575 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,243 +1,244 @@
# Class: nginx::config
#
# This module manages NGINX bootstrap and configuration
#
# Parameters:
#
# There are no default parameters for this class.
#
# Actions:
#
# Requires:
#
# Sample Usage:
#
# This class file is not called directly
class nginx::config {
assert_private()
$client_body_temp_path = $::nginx::client_body_temp_path
$confd_only = $::nginx::confd_only
$confd_purge = $::nginx::confd_purge
$conf_dir = $::nginx::conf_dir
$daemon = $::nginx::daemon
$daemon_user = $::nginx::daemon_user
$global_owner = $::nginx::global_owner
$global_group = $::nginx::global_group
$global_mode = $::nginx::global_mode
$log_dir = $::nginx::log_dir
$log_group = $::nginx::log_group
$log_mode = $::nginx::log_mode
$http_access_log = $::nginx::http_access_log
$http_format_log = $::nginx::http_format_log
$nginx_error_log = $::nginx::nginx_error_log
$nginx_error_log_severity = $::nginx::nginx_error_log_severity
$pid = $::nginx::pid
$proxy_temp_path = $::nginx::proxy_temp_path
$root_group = $::nginx::root_group
$run_dir = $::nginx::run_dir
$sites_available_owner = $::nginx::sites_available_owner
$sites_available_group = $::nginx::sites_available_group
$sites_available_mode = $::nginx::sites_available_mode
$super_user = $::nginx::super_user
$temp_dir = $::nginx::temp_dir
$server_purge = $::nginx::server_purge
$accept_mutex = $::nginx::accept_mutex
$accept_mutex_delay = $::nginx::accept_mutex_delay
$client_body_buffer_size = $::nginx::client_body_buffer_size
$client_max_body_size = $::nginx::client_max_body_size
$client_body_timeout = $::nginx::client_body_timeout
$send_timeout = $::nginx::send_timeout
$lingering_timeout = $::nginx::lingering_timeout
$events_use = $::nginx::events_use
$fastcgi_cache_inactive = $::nginx::fastcgi_cache_inactive
$fastcgi_cache_key = $::nginx::fastcgi_cache_key
$fastcgi_cache_keys_zone = $::nginx::fastcgi_cache_keys_zone
$fastcgi_cache_levels = $::nginx::fastcgi_cache_levels
$fastcgi_cache_max_size = $::nginx::fastcgi_cache_max_size
$fastcgi_cache_path = $::nginx::fastcgi_cache_path
$fastcgi_cache_use_stale = $::nginx::fastcgi_cache_use_stale
$gzip = $::nginx::gzip
$gzip_buffers = $::nginx::gzip_buffers
$gzip_comp_level = $::nginx::gzip_comp_level
$gzip_disable = $::nginx::gzip_disable
$gzip_min_length = $::nginx::gzip_min_length
$gzip_http_version = $::nginx::gzip_http_version
$gzip_proxied = $::nginx::gzip_proxied
$gzip_types = $::nginx::gzip_types
$gzip_vary = $::nginx::gzip_vary
$http_cfg_prepend = $::nginx::http_cfg_prepend
$http_cfg_append = $::nginx::http_cfg_append
$http_tcp_nodelay = $::nginx::http_tcp_nodelay
$http_tcp_nopush = $::nginx::http_tcp_nopush
$keepalive_timeout = $::nginx::keepalive_timeout
$keepalive_requests = $::nginx::keepalive_requests
$log_format = $::nginx::log_format
$mail = $::nginx::mail
$stream = $::nginx::stream
$multi_accept = $::nginx::multi_accept
$names_hash_bucket_size = $::nginx::names_hash_bucket_size
$names_hash_max_size = $::nginx::names_hash_max_size
$nginx_cfg_prepend = $::nginx::nginx_cfg_prepend
$proxy_buffers = $::nginx::proxy_buffers
$proxy_buffer_size = $::nginx::proxy_buffer_size
$proxy_cache_inactive = $::nginx::proxy_cache_inactive
$proxy_cache_keys_zone = $::nginx::proxy_cache_keys_zone
$proxy_cache_levels = $::nginx::proxy_cache_levels
$proxy_cache_max_size = $::nginx::proxy_cache_max_size
$proxy_cache_path = $::nginx::proxy_cache_path
$proxy_cache_loader_files = $::nginx::proxy_cache_loader_files
$proxy_cache_loader_sleep = $::nginx::proxy_cache_loader_sleep
$proxy_cache_loader_threshold = $::nginx::proxy_cache_loader_threshold
$proxy_use_temp_path = $::nginx::proxy_use_temp_path
$proxy_connect_timeout = $::nginx::proxy_connect_timeout
$proxy_headers_hash_bucket_size = $::nginx::proxy_headers_hash_bucket_size
$proxy_http_version = $::nginx::proxy_http_version
$proxy_read_timeout = $::nginx::proxy_read_timeout
$proxy_redirect = $::nginx::proxy_redirect
$proxy_send_timeout = $::nginx::proxy_send_timeout
$proxy_set_header = $::nginx::proxy_set_header
$proxy_hide_header = $::nginx::proxy_hide_header
$proxy_pass_header = $::nginx::proxy_pass_header
$sendfile = $::nginx::sendfile
$server_tokens = $::nginx::server_tokens
$spdy = $::nginx::spdy
$http2 = $::nginx::http2
$ssl_stapling = $::nginx::ssl_stapling
$types_hash_bucket_size = $::nginx::types_hash_bucket_size
$types_hash_max_size = $::nginx::types_hash_max_size
$worker_connections = $::nginx::worker_connections
$worker_processes = $::nginx::worker_processes
$worker_rlimit_nofile = $::nginx::worker_rlimit_nofile
+ $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers
$ssl_protocols = $::nginx::ssl_protocols
$ssl_ciphers = $::nginx::ssl_ciphers
# Non-configurable settings
$conf_template = 'nginx/conf.d/nginx.conf.erb'
$proxy_conf_template = undef
File {
owner => $global_owner,
group => $global_group,
mode => $global_mode,
}
file { $conf_dir:
ensure => directory,
}
file { "${conf_dir}/conf.stream.d":
ensure => directory,
}
file { "${conf_dir}/conf.d":
ensure => directory,
}
if $confd_purge {
# Err on the side of caution - make sure *both* $server_purge and
# $confd_purge are set if $confd_only is set, before purging files
# ${conf_dir}/conf.d
if (($confd_only and $server_purge) or !$confd_only) {
File["${conf_dir}/conf.d"] {
purge => true,
recurse => true,
notify => Class['::nginx::service'],
}
File["${conf_dir}/conf.stream.d"] {
purge => true,
recurse => true,
notify => Class['::nginx::service'],
}
}
}
file { "${conf_dir}/conf.mail.d":
ensure => directory,
}
if $confd_purge == true {
File["${conf_dir}/conf.mail.d"] {
purge => true,
recurse => true,
}
}
file {$run_dir:
ensure => directory,
}
file { $log_dir:
ensure => directory,
mode => $log_mode,
owner => $daemon_user,
group => $log_group,
}
file {$client_body_temp_path:
ensure => directory,
owner => $daemon_user,
}
file {$proxy_temp_path:
ensure => directory,
owner => $daemon_user,
}
unless $confd_only {
file { "${conf_dir}/sites-available":
ensure => directory,
owner => $sites_available_owner,
group => $sites_available_group,
mode => $sites_available_mode,
}
file { "${conf_dir}/sites-enabled":
ensure => directory,
}
if $server_purge {
File["${conf_dir}/sites-available"] {
purge => true,
recurse => true,
}
File["${conf_dir}/sites-enabled"] {
purge => true,
recurse => true,
}
}
# No real reason not to make these even if $stream is not enabled.
file { "${conf_dir}/streams-enabled":
ensure => directory,
owner => $sites_available_owner,
group => $sites_available_group,
mode => $sites_available_mode,
}
file { "${conf_dir}/streams-available":
ensure => directory,
}
if $server_purge {
File["${conf_dir}/streams-enabled"] {
purge => true,
recurse => true,
}
}
}
file { "${conf_dir}/nginx.conf":
ensure => file,
content => template($conf_template),
}
file { "${temp_dir}/nginx.d":
ensure => absent,
purge => true,
recurse => true,
force => true,
}
file { "${temp_dir}/nginx.mail.d":
ensure => absent,
purge => true,
recurse => true,
force => true,
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index cccd1b7..6a762b3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,198 +1,199 @@
# Class: nginx
#
# This module manages NGINX.
#
# Parameters:
#
# Actions:
#
# Requires:
# puppetlabs-stdlib - https://github.com/puppetlabs/puppetlabs-stdlib
#
# Packaged NGINX
# - RHEL: EPEL or custom package
# - Debian/Ubuntu: Default Install or custom package
# - SuSE: Default Install or custom package
#
# stdlib
# - puppetlabs-stdlib module >= 0.1.6
# - plugin sync enabled to obtain the anchor type
#
# Sample Usage:
#
# The module works with sensible defaults:
#
# node default {
# include nginx
# }
class nginx (
### START Nginx Configuration ###
$client_body_temp_path = $::nginx::params::client_body_temp_path,
Boolean $confd_only = false,
Boolean $confd_purge = false,
$conf_dir = $::nginx::params::conf_dir,
Optional[Enum['on', 'off']] $daemon = undef,
$daemon_user = $::nginx::params::daemon_user,
$global_owner = $::nginx::params::global_owner,
$global_group = $::nginx::params::global_group,
$global_mode = $::nginx::params::global_mode,
$log_dir = $::nginx::params::log_dir,
$log_group = $::nginx::params::log_group,
$log_mode = '0750',
Variant[String, Array[String]] $http_access_log = "${log_dir}/${::nginx::params::http_access_log_file}",
$http_format_log = undef,
Variant[String, Array[String]] $nginx_error_log = "${log_dir}/${::nginx::params::nginx_error_log_file}",
Enum['debug','info','notice','warn','error','crit','alert','emerg'] $nginx_error_log_severity = 'error',
$pid = $::nginx::params::pid,
$proxy_temp_path = $::nginx::params::proxy_temp_path,
$root_group = $::nginx::params::root_group,
$run_dir = $::nginx::params::run_dir,
$sites_available_owner = $::nginx::params::sites_available_owner,
$sites_available_group = $::nginx::params::sites_available_group,
$sites_available_mode = $::nginx::params::sites_available_mode,
Boolean $super_user = $::nginx::params::super_user,
$temp_dir = $::nginx::params::temp_dir,
Boolean $server_purge = false,
# Primary Templates
$conf_template = 'nginx/conf.d/nginx.conf.erb',
### START Nginx Configuration ###
$accept_mutex = 'on',
$accept_mutex_delay = '500ms',
$client_body_buffer_size = '128k',
String $client_max_body_size = '10m',
$client_body_timeout = '60',
$send_timeout = '60',
$lingering_timeout = '5',
Optional[String] $events_use = undef,
String $fastcgi_cache_inactive = '20m',
Optional[String] $fastcgi_cache_key = undef,
String $fastcgi_cache_keys_zone = 'd3:100m',
String $fastcgi_cache_levels = '1',
String $fastcgi_cache_max_size = '500m',
Optional[String] $fastcgi_cache_path = undef,
Optional[String] $fastcgi_cache_use_stale = undef,
$gzip = 'on',
$gzip_buffers = undef,
$gzip_comp_level = 1,
$gzip_disable = 'msie6',
$gzip_min_length = 20,
$gzip_http_version = 1.1,
$gzip_proxied = 'off',
$gzip_types = undef,
$gzip_vary = 'off',
Optional[Variant[Hash, Array]] $http_cfg_prepend = undef,
Optional[Variant[Hash, Array]] $http_cfg_append = undef,
$http_tcp_nodelay = 'on',
$http_tcp_nopush = 'off',
$keepalive_timeout = '65',
$keepalive_requests = '100',
$log_format = {},
Boolean $mail = false,
Boolean $stream = false,
String $multi_accept = 'off',
Integer $names_hash_bucket_size = 64,
Integer $names_hash_max_size = 512,
$nginx_cfg_prepend = false,
String $proxy_buffers = '32 4k',
String $proxy_buffer_size = '8k',
String $proxy_cache_inactive = '20m',
String $proxy_cache_keys_zone = 'd2:100m',
String $proxy_cache_levels = '1',
String $proxy_cache_max_size = '500m',
Optional[Variant[Hash, String]] $proxy_cache_path = undef,
Optional[Integer] $proxy_cache_loader_files = undef,
Optional[String] $proxy_cache_loader_sleep = undef,
Optional[String] $proxy_cache_loader_threshold = undef,
Optional[Enum['on', 'off']] $proxy_use_temp_path = undef,
$proxy_connect_timeout = '90',
Integer $proxy_headers_hash_bucket_size = 64,
Optional[String] $proxy_http_version = undef,
$proxy_read_timeout = '90',
$proxy_redirect = undef,
$proxy_send_timeout = '90',
Array $proxy_set_header = [
'Host $host',
'X-Real-IP $remote_addr',
'X-Forwarded-For $proxy_add_x_forwarded_for',
'Proxy ""',
],
Array $proxy_hide_header = [],
Array $proxy_pass_header = [],
$sendfile = 'on',
String $server_tokens = 'on',
$spdy = 'off',
$http2 = 'off',
$ssl_stapling = 'off',
$types_hash_bucket_size = '512',
$types_hash_max_size = '1024',
Integer $worker_connections = 1024,
Variant[Integer, Enum['auto']] $worker_processes = 1,
Integer $worker_rlimit_nofile = 1024,
+ Enum['on', 'off'] $ssl_prefer_server_ciphers = 'on',
$ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2',
$ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
### START Package Configuration ###
$package_ensure = present,
$package_name = $::nginx::params::package_name,
$package_source = 'nginx',
$package_flavor = undef,
$manage_repo = $::nginx::params::manage_repo,
$passenger_package_ensure = 'present',
### END Package Configuration ###
### START Service Configuation ###
$service_ensure = running,
$service_flags = undef,
$service_restart = undef,
$service_name = undef,
$service_manage = true,
### END Service Configuration ###
### START Hiera Lookups ###
$geo_mappings = {},
$string_mappings = {},
$nginx_locations = {},
$nginx_mailhosts = {},
$nginx_streamhosts = {},
$nginx_upstreams = {},
$nginx_servers = {},
$nginx_servers_defaults = {},
### END Hiera Lookups ###
) inherits ::nginx::params {
class { '::nginx::package':
package_name => $package_name,
package_source => $package_source,
package_ensure => $package_ensure,
package_flavor => $package_flavor,
passenger_package_ensure => $passenger_package_ensure,
notify => Class['::nginx::service'],
manage_repo => $manage_repo,
}
include '::nginx::config'
include '::nginx::service'
Class['::nginx::package'] -> Class['::nginx::config'] ~> Class['::nginx::service']
create_resources('nginx::resource::upstream', $nginx_upstreams)
create_resources('nginx::resource::server', $nginx_servers, $nginx_servers_defaults)
create_resources('nginx::resource::location', $nginx_locations)
create_resources('nginx::resource::mailhost', $nginx_mailhosts)
create_resources('nginx::resource::streamhost', $nginx_streamhosts)
create_resources('nginx::resource::map', $string_mappings)
create_resources('nginx::resource::geo', $geo_mappings)
# Allow the end user to establish relationships to the "main" class
# and preserve the relationship to the implementation classes through
# a transitive relationship to the composite class.
anchor{ 'nginx::begin':
before => Class['::nginx::package'],
notify => Class['::nginx::service'],
}
anchor { 'nginx::end':
require => Class['::nginx::service'],
}
}
diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
index a2ae3a0..7b66546 100644
--- a/manifests/resource/mailhost.pp
+++ b/manifests/resource/mailhost.pp
@@ -1,166 +1,169 @@
# define: nginx::resource::mailhost
#
# This definition creates a virtual host
#
# Parameters:
-# [*ensure*] - Enables or disables the specified mailhost (present|absent)
-# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
-# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
-# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
-# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
-# support exists on your system before enabling.
-# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
-# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
-# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
-# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
-# [*index_files*] - Default index files for NGINX to read when traversing a directory
-# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
-# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
-# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
-# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
-# [*ssl_crl*] - String: Specifies CRL path in file system
-# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
-# format, utilized for exchanging session keys between server and client.
-# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers.
-# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
-# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys.
-# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
-# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols
-# [*ssl_session_cache*] - Sets the type and size of the session cache.
-# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
-# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets.
-# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
-# Defaults to 5m.
-# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
-# certificates and OCSP responses if ssl_stapling is enabled.
-# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain.
-# [*starttls*] - Enable STARTTLS support: (on|off|only)
-# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
-# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
-# [*xclient*] - Whether to use xclient for smtp (on|off)
-# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients.
-# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
-# [*imap_client_buffer*] - Sets the IMAP commands read buffer size.
-# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients.
-# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
-# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients.
-# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
-# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
-# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
-# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
-# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
-# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server
-# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server
+# [*ensure*] - Enables or disables the specified mailhost (present|absent)
+# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
+# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
+# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
+# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
+# support exists on your system before enabling.
+# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
+# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
+# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
+# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
+# [*index_files*] - Default index files for NGINX to read when traversing a directory
+# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
+# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
+# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
+# [*ssl_crl*] - String: Specifies CRL path in file system
+# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+# format, utilized for exchanging session keys between server and client.
+# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers.
+# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
+# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys.
+# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
+# [*ssl_prefer_server_ciphers*] - Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols. Defaults
+# to $nginx::ssl_prefer_server_ciphers.
+# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols
+# [*ssl_session_cache*] - Sets the type and size of the session cache.
+# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
+# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets.
+# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
+# Defaults to 5m.
+# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
+# certificates and OCSP responses if ssl_stapling is enabled.
+# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain.
+# [*starttls*] - Enable STARTTLS support: (on|off|only)
+# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
+# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
+# [*xclient*] - Whether to use xclient for smtp (on|off)
+# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients.
+# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
+# [*imap_client_buffer*] - Sets the IMAP commands read buffer size.
+# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients.
+# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
+# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients.
+# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
+# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
+# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
+# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
+# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
+# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server
+# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server
#
# Actions:
#
# Requires:
#
# Sample Usage:
# nginx::resource::mailhost { 'domain1.example':
# ensure => present,
# auth_http => 'server2.example/cgi-bin/auth',
# protocol => 'smtp',
# listen_port => 587,
# ssl_port => 465,
# starttls => 'only',
# xclient => 'off',
# ssl => true,
# ssl_cert => '/tmp/server.crt',
# ssl_key => '/tmp/server.pem',
# }
define nginx::resource::mailhost (
Integer $listen_port,
Enum['absent', 'present'] $ensure = 'present',
Variant[Array[String], String] $listen_ip = '*',
Optional[String] $listen_options = undef,
Boolean $ipv6_enable = false,
Variant[Array[String], String] $ipv6_listen_ip = '::',
Integer $ipv6_listen_port = 80,
String $ipv6_listen_options = 'default ipv6only=on',
Boolean $ssl = false,
Optional[String] $ssl_cert = undef,
String $ssl_ciphers = $::nginx::ssl_ciphers,
Optional[String] $ssl_client_cert = undef,
Optional[String] $ssl_crl = undef,
Optional[String] $ssl_dhparam = undef,
Optional[String] $ssl_ecdh_curve = undef,
Optional[String] $ssl_key = undef,
Optional[String] $ssl_password_file = undef,
Optional[Integer] $ssl_port = undef,
+ Enum['on', 'off'] $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers,
String $ssl_protocols = $::nginx::ssl_protocols,
Optional[String] $ssl_session_cache = undef,
Optional[String] $ssl_session_ticket_key = undef,
Optional[String] $ssl_session_tickets = undef,
String $ssl_session_timeout = '5m',
Optional[String] $ssl_trusted_cert = undef,
Optional[Integer] $ssl_verify_depth = undef,
Enum['on', 'off', 'only'] $starttls = 'off',
$protocol = undef,
Optional[String] $auth_http = undef,
Optional[String] $auth_http_header = undef,
String $xclient = 'on',
Optional[String] $imap_auth = undef,
Optional[Array] $imap_capabilities = undef,
Optional[String] $imap_client_buffer = undef,
Optional[String] $pop3_auth = undef,
Optional[Array] $pop3_capabilities = undef,
Optional[String] $smtp_auth = undef,
Optional[Array] $smtp_capabilities = undef,
Optional[Variant[Array, String]] $raw_prepend = undef,
Optional[Variant[Array, String]] $raw_append = undef,
Optional[Hash] $mailhost_cfg_prepend = undef,
Optional[Hash] $mailhost_cfg_append = undef,
String $proxy_pass_error_message = 'off',
Array $server_name = [$name]
) {
$root_group = $::nginx::root_group
File {
owner => 'root',
group => $root_group,
mode => '0644',
}
$config_dir = "${::nginx::conf_dir}/conf.mail.d"
$config_file = "${config_dir}/${name}.conf"
# Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled
# and support does not exist for it in the kernel.
if ($ipv6_enable and !$::ipaddress6) {
warning('nginx: IPv6 support is not enabled or configured properly')
}
# Check to see if SSL Certificates are properly defined.
if ($ssl or $starttls == 'on' or $starttls == 'only') {
if ($ssl_cert == undef) or ($ssl_key == undef) {
fail('nginx: SSL certificate/key (ssl_cert/ssl_cert) and/or SSL Private must be defined and exist on the target system(s)')
}
}
concat { $config_file:
owner => 'root',
group => $root_group,
mode => '0644',
notify => Class['::nginx::service'],
require => File[$config_dir],
}
if (($ssl_port == undef) or ($listen_port + 0) != ($ssl_port + 0)) {
concat::fragment { "${name}-header":
target => $config_file,
content => template('nginx/mailhost/mailhost.erb'),
order => '001',
}
}
# Create SSL File Stubs if SSL is enabled
if ($ssl) {
concat::fragment { "${name}-ssl":
target => $config_file,
content => template('nginx/mailhost/mailhost_ssl.erb'),
order => '700',
}
}
}
diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp
index f8ab7e0..4a2c6d2 100644
--- a/manifests/resource/server.pp
+++ b/manifests/resource/server.pp
@@ -1,501 +1,438 @@
# define: nginx::resource::server
#
# This definition creates a virtual host
#
# Parameters:
-# [*ensure*] - Enables or disables the specified server
-# (present|absent)
-# [*listen_ip*] - Default IP Address for NGINX to listen with this
-# server on. Defaults to all interfaces (*)
-# [*listen_port*] - Default IP Port for NGINX to listen with this
-# server on. Defaults to TCP 80
-# [*listen_options*] - Extra options for listen directive like
-# 'default_server' to catchall. Undef by default.
-# [*listen_unix_socket_enable*] - BOOL value to enable/disable UNIX socket
-# listening support (false|true).
-# [*listen_unix_socket*] - Default unix socket for NGINX to listen with this
-# server on. Defaults to UNIX /var/run/nginx.sock
-# [*listen_unix_socket_options*] - Extra options for listen directive like
-# 'default' to catchall. Undef by default.
-# [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access.
-# [*location_allow*] - Array: Locations to allow connections from.
-# [*location_deny*] - Array: Locations to deny connections from.
-# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support
-# (false|true). Module will check to see if IPv6 support exists on your
-# system before enabling.
-# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with
-# this server on. Defaults to all interfaces (::)
-# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this
-# server on. Defaults to TCP 80
-# [*ipv6_listen_options*] - Extra options for listen directive like 'default'
-# to catchall. Template will allways add ipv6only=on. While issue
-# jfryman/puppet-nginx#30 is discussed, default value is 'default'.
-# [*add_header*] - Hash: Adds headers to the HTTP response when
-# response code is equal to 200, 204, 301, 302 or 304.
-# [*index_files*] - Default index files for NGINX to read when
-# traversing a directory
-# [*autoindex*] - Set it on 'on' or 'off 'to activate/deactivate
-# autoindex directory listing. Undef by default.
-# [*proxy*] - Proxy server(s) for the root location to connect
-# to. Accepts a single value, can be used in conjunction with
-# nginx::resource::upstream
-# [*proxy_read_timeout*] - Override the default the proxy read timeout value
-# of 90 seconds
-# [*proxy_redirect*] - Override the default proxy_redirect value of off.
-# [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed value.
-# [*resolver*] - Array: Configures name servers used to resolve
-# names of upstream servers into addresses.
-# [*fastcgi*] - location of fastcgi (host:port)
-# [*fastcgi_param*] - Set additional custom fastcgi_params
-# [*fastcgi_params*] - optional alternative fastcgi_params file to use
-# [*fastcgi_script*] - optional SCRIPT_FILE parameter
-# [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout
-# [*ssl*] - Indicates whether to setup SSL bindings for this
-# server.
-# [*ssl_cert*] - Pre-generated SSL Certificate file to reference
-# for SSL Support. This is not generated by this module. Set to `false` to
-# inherit from the http section, which improves performance by conserving
-# memory.
-# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference
-# for client verify SSL Support. This is not generated by this module.
-# [*ssl_verify_client*] - Enables verification of client certificates.
-# [*ssl_crl*] - String: Specifies CRL path in file system
-# [*ssl_dhparam*] - This directive specifies a file containing
-# Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
-# format, utilized for exchanging session keys between server and client.
-# [*ssl_redirect*] - Adds a server directive and return statement to
-# force ssl redirect. Will honor ssl_port if it's set.
-# [*ssl_redirect_port*] - Overrides $ssl_port in the SSL redirect set by
-# ssl_redirect
-# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL
-# Support. This is not generated by this module. Set to `false` to inherit
-# from the http section, which improves performance by conserving memory.
-# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL
-# server on. Defaults to TCP 443
-# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1
-# TLSv1.2'.
-# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data.
-# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to
-# nginx::config::ssl_ciphers
-# [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP
-# responses by the server. Defaults to false.
-# [*ssl_stapling_file*] - String: When set, the stapled OCSP response
-# will be taken from the specified file instead of querying the OCSP
-# responder specified in the server certificate.
-# [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP
-# responder specified in the Authority Information Access certificate
-# extension.
-# [*ssl_stapling_verify*] - Bool: Enables or disables verification of
-# OCSP responses by the server. Defaults to false.
-# [*ssl_session_timeout*] - String: Specifies a time during which a client
-# may reuse the session parameters stored in a cache. Defaults to 5m.
-# [*ssl_session_tickets*] - String: Enables or disables session resumption
-# through TLS session tickets.
-# [*ssl_session_ticket_key*] - String: Sets a file with the secret key used
-# to encrypt and decrypt TLS session tickets.
-# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA
-# certificates in the PEM format used to verify client certificates and
-# OCSP responses if ssl_stapling is enabled.
-# [*spdy*] - Toggles SPDY protocol.
-# [*http2*] - Toggles HTTP/2 protocol.
-# [*server_name*] - List of servernames for which this server will
-# respond. Default [$name].
-# [*www_root*] - Specifies the location on disk for files to be
-# read from. Cannot be set in conjunction with $proxy
-# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to
-# rewrite www.domain.com to domain.com in order to avoid duplicate
-# content (SEO);
-# [*try_files*] - Specifies the locations for files to be
-# checked as an array. Cannot be used in conjuction with $proxy.
-# [*proxy_cache*] - This directive sets name of zone for caching.
-# The same zone can be used in multiple places.
-# [*proxy_cache_key*] - Override the default proxy_cache_key of
-# $scheme$proxy_host$request_uri
-# [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value
-# of off.
-# [*proxy_cache_valid*] - This directive sets the time for caching
-# different replies.
-# [*proxy_method*] - If defined, overrides the HTTP method of the
-# request to be passed to the backend.
-# [*proxy_http_version*] - Sets the proxy http version
-# [*proxy_set_body*] - If defined, sets the body passed to the backend.
-# [*auth_basic*] - This directive includes testing name and
-# password with HTTP Basic Authentication.
-# [*auth_basic_user_file*] - This directive sets the htpasswd filename for
-# the authentication realm.
-# [*auth_request*] - This allows you to specify a custom auth endpoint
-# [*client_max_body_size*] - This directive sets client_max_body_size.
-# [*client_body_timeout*] - Sets how long the server will wait for a
-# client body. Default is 60s
-# [*client_header_timeout*] - Sets how long the server will wait for a
-# client header. Default is 60s
-# [*raw_prepend*] - A single string, or an array of strings to
-# prepend to the server directive (after cfg prepend directives). NOTE:
-# YOU are responsible for a semicolon on each line that requires one.
-# [*raw_append*] - A single string, or an array of strings to
-# append to the server directive (after cfg append directives). NOTE:
-# YOU are responsible for a semicolon on each line that requires one.
-# [*location_raw_prepend*] - A single string, or an array of strings
-# to prepend to the location directive (after custom_cfg directives). NOTE:
-# YOU are responsible for a semicolon on each line that requires one.
-# [*location_raw_append*] - A single string, or an array of strings
-# to append to the location directive (after custom_cfg directives). NOTE:
-# YOU are responsible for a semicolon on each line that requires one.
-# [*server_cfg_append*] - It expects a hash with custom directives to
-# put after everything else inside server
-# [*server_cfg_prepend*] - It expects a hash with custom directives to
-# put before everything else inside server
-# [*server_cfg_ssl_append*] - It expects a hash with custom directives to
-# put after everything else inside server ssl
-# [*server_cfg_ssl_prepend*] - It expects a hash with custom directives to
-# put before everything else inside server ssl
-# [*include_files*] - Adds include files to server
-# [*access_log*] - Where to write access log (log format can be
-# set with $format_log). This can be either a string or an array; in the
-# latter case, multiple lines will be created. Additionally, unlike the
-# earlier behavior, setting it to 'absent' in the server context will remove
-# this directive entirely from the server stanza, rather than setting a
-# default. Can also be disabled for this server with the string 'off'.
-# [*error_log*] - Where to write error log. May add additional
-# options like error level to the end. May set to 'absent', in which case
-# it will be omitted in this server stanza (and default to nginx.conf setting)
-# [*passenger_cgi_param*] - Allows one to define additional CGI environment
-# variables to pass to the backend application
-# [*passenger_set_header*] - Allows one to set headers to pass to the
-# backend application (Passenger 5.0+)
-# [*passenger_env_var*] - Allows one to set environemnt variables to pass
-# to the backend application (Passenger 5.0+)
-# [*passenger_pre_start*] - Allows setting a URL to pre-warm the host. Per
-# Passenger docs, the "domain part of the URL" must match a value of
-# server_name. If this is an array, multiple URLs can be specified.
-# [*log_by_lua*] - Run the Lua source code inlined as the
-# <lua-script-str> at the log request processing phase.
-# This does not replace the current access logs, but runs after.
-# [*log_by_lua_file*] - Equivalent to log_by_lua, except that the file
-# specified by <path-to-lua-script-file> contains the Lua code, or, as from
-# the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed.
-# [*gzip_types*] - Defines gzip_types, nginx default is text/html
-# [*owner*] - Defines owner of the .conf file
-# [*group*] - Defines group of the .conf file
-# [*mode*] - Defines mode of the .conf file
-# [*maintenance*] - A boolean value to set a server in maintenance
-# [*maintenance_value*] - Value to return when maintenance is on.
-# Default to return 503
-# [*error_pages*] - Hash: setup errors pages, hash key is the http
-# code and hash value the page
-# [*locations*] - Hash of servers ressources used by this server
+# [*ensure*] - Enables or disables the specified server (present|absent)
+# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
+# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
+# [*listen_options*] - Extra options for listen directive like 'default_server' to catchall. Undef by default.
+# [*listen_unix_socket_enable*] - BOOL value to enable/disable UNIX socket listening support (false|true).
+# [*listen_unix_socket*] - Default unix socket for NGINX to listen with this server on. Defaults to UNIX /var/run/nginx.sock
+# [*listen_unix_socket_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
+# [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access.
+# [*location_allow*] - Array: Locations to allow connections from.
+# [*location_deny*] - Array: Locations to deny connections from.
+# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 support
+# exists on your system before enabling.
+# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
+# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
+# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
+# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
+# [*add_header*] - Hash: Adds headers to the HTTP response when response code is equal to 200, 204, 301, 302 or 304.
+# [*index_files*] - Default index files for NGINX to read when traversing a directory
+# [*autoindex*] - Set it on 'on' or 'off 'to activate/deactivate autoindex directory listing. Undef by default.
+# [*proxy*] - Proxy server(s) for the root location to connect to. Accepts a single value, can be used in
+# conjunction with nginx::resource::upstream
+# [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds
+# [*proxy_redirect*] - Override the default proxy_redirect value of off.
+# [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed value.
+# [*resolver*] - Array: Configures name servers used to resolve names of upstream servers into addresses.
+# [*fastcgi*] - location of fastcgi (host:port)
+# [*fastcgi_param*] - Set additional custom fastcgi_params
+# [*fastcgi_params*] - optional alternative fastcgi_params file to use
+# [*fastcgi_script*] - optional SCRIPT_FILE parameter
+# [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout
+# [*ssl*] - Indicates whether to setup SSL bindings for this server.
+# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+# Set to `false` to inherit from the http section, which improves performance by conserving memory.
+# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by
+# this module.
+# [*ssl_verify_client*] - Enables verification of client certificates.
+# [*ssl_crl*] - String: Specifies CRL path in file system
+# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic
+# parameters, in PEM format, utilized for exchanging session keys between server and client.
+# [*ssl_prefer_server_ciphers*] - String: Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and
+# TLS protocols. Defaults to nginx::ssl_prefer_server_ciphers.
+# [*ssl_redirect*] - Adds a server directive and return statement to force ssl redirect. Will honor ssl_port if it's set.
+# [*ssl_redirect_port*] - Overrides $ssl_port in the SSL redirect set by ssl_redirect
+# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. Set to
+# `false` to inherit from the http section, which improves performance by conserving memory.
+# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
+# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 TLSv1.2'.
+# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data.
+# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to nginx::ssl_ciphers
+# [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP responses by the server. Defaults to false.
+# [*ssl_stapling_file*] - String: When set, the stapled OCSP response will be taken from the specified file instead of querying
+# the OCSP responder specified in the server certificate.
+# [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP responder specified in the Authority Information Access
+# certificate extension.
+# [*ssl_stapling_verify*] - Bool: Enables or disables verification of OCSP responses by the server. Defaults to false.
+# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
+# Defaults to 5m.
+# [*ssl_session_tickets*] - String: Enables or disables session resumption through TLS session tickets.
+# [*ssl_session_ticket_key*] - String: Sets a file with the secret key used to encrypt and decrypt TLS session tickets.
+# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
+# certificates and OCSP responses if ssl_stapling is enabled.
+# [*spdy*] - Toggles SPDY protocol.
+# [*http2*] - Toggles HTTP/2 protocol.
+# [*server_name*] - List of servernames for which this server will respond. Default [$name].
+# [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy
+# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to rewrite www.domain.com to domain.com in order to avoid
+# duplicate content (SEO);
+# [*try_files*] - Specifies the locations for files to be checked as an array. Cannot be used in conjuction with $proxy.
+# [*proxy_cache*] - This directive sets name of zone for caching. The same zone can be used in multiple places.
+# [*proxy_cache_key*] - Override the default proxy_cache_key of $scheme$proxy_host$request_uri
+# [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value of off.
+# [*proxy_cache_valid*] - This directive sets the time for caching different replies.
+# [*proxy_method*] - If defined, overrides the HTTP method of the request to be passed to the backend.
+# [*proxy_http_version*] - Sets the proxy http version
+# [*proxy_set_body*] - If defined, sets the body passed to the backend.
+# [*auth_basic*] - This directive includes testing name and password with HTTP Basic Authentication.
+# [*auth_basic_user_file*] - This directive sets the htpasswd filename for the authentication realm.
+# [*auth_request*] - This allows you to specify a custom auth endpoint
+# [*client_max_body_size*] - This directive sets client_max_body_size.
+# [*client_body_timeout*] - Sets how long the server will wait for a client body. Default is 60s
+# [*client_header_timeout*] - Sets how long the server will wait for a client header. Default is 60s
+# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after cfg prepend
+# directives). NOTE: YOU are responsible for a semicolon on each line that requires one.
+# [*raw_append*] - A single string, or an array of strings to append to the server directive (after cfg append
+# directives). NOTE: YOU are responsible for a semicolon on each line that requires one.
+# [*location_raw_prepend*] - A single string, or an array of strings to prepend to the location directive (after custom_cfg
+# directives). NOTE: YOU are responsible for a semicolon on each line that requires one.
+# [*location_raw_append*] - A single string, or an array of strings to append to the location directive (after custom_cfg
+# directives). NOTE: YOU are responsible for a semicolon on each line that requires one.
+# [*server_cfg_append*] - It expects a hash with custom directives to put after everything else inside server
+# [*server_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server
+# [*server_cfg_ssl_append*] - It expects a hash with custom directives to put after everything else inside server ssl
+# [*server_cfg_ssl_prepend*] - It expects a hash with custom directives to put before everything else inside server ssl
+# [*include_files*] - Adds include files to server
+# [*access_log*] - Where to write access log (log format can be set with $format_log). This can be either a string or an
+# array; in the latter case, multiple lines will be created. Additionally, unlike the earlier behavior, setting it to 'absent' in the
+# server context will remove this directive entirely from the server stanza, rather than setting a default. Can also be disabled for
+# this server with the string 'off'.
+# [*error_log*] - Where to write error log. May add additional options like error level to the end. May set to 'absent',
+# in which case it will be omitted in this server stanza (and default to nginx.conf setting)
+# [*passenger_cgi_param*] - Allows one to define additional CGI environment variables to pass to the backend application
+# [*passenger_set_header*] - Allows one to set headers to pass to the backend application (Passenger 5.0+)
+# [*passenger_env_var*] - Allows one to set environemnt variables to pass to the backend application (Passenger 5.0+)
+# [*passenger_pre_start*] - Allows setting a URL to pre-warm the host. Per Passenger docs, the "domain part of the URL" must match
+# a value of server_name. If this is an array, multiple URLs can be specified.
+# [*log_by_lua*] - Run the Lua source code inlined as the <lua-script-str> at the log request processing phase. This does
+# not replace the current access logs, but runs after.
+# [*log_by_lua_file*] - Equivalent to log_by_lua, except that the file specified by <path-to-lua-script-file> contains the Lua
+# code, or, as from the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed.
+# [*gzip_types*] - Defines gzip_types, nginx default is text/html
+# [*owner*] - Defines owner of the .conf file
+# [*group*] - Defines group of the .conf file
+# [*mode*] - Defines mode of the .conf file
+# [*maintenance*] - A boolean value to set a server in maintenance
+# [*maintenance_value*] - Value to return when maintenance is on. Default to return 503
+# [*error_pages*] - Hash: setup errors pages, hash key is the http code and hash value the page
+# [*locations*] - Hash of servers resources used by this server
# Actions:
#
# Requires:
#
# Sample Usage:
# nginx::resource::server { 'test2.local':
# ensure => present,
# www_root => '/var/www/nginx-default',
# ssl => true,
# ssl_cert => '/tmp/server.crt',
# ssl_key => '/tmp/server.pem',
# }
define nginx::resource::server (
Enum['absent', 'present'] $ensure = 'present',
Variant[Array, String] $listen_ip = '*',
Integer $listen_port = 80,
Optional[String] $listen_options = undef,
Boolean $listen_unix_socket_enable = false,
Variant[Array[Stdlib::Absolutepath], Stdlib::Absolutepath] $listen_unix_socket = '/var/run/nginx.sock',
Optional[String] $listen_unix_socket_options = undef,
Optional[Enum['any', 'all']] $location_satisfy = undef,
Array $location_allow = [],
Array $location_deny = [],
Boolean $ipv6_enable = false,
Variant[Array, String] $ipv6_listen_ip = '::',
Integer $ipv6_listen_port = 80,
String $ipv6_listen_options = 'default ipv6only=on',
Optional[Hash] $add_header = undef,
Boolean $ssl = false,
Boolean $ssl_listen_option = true,
Optional[Variant[String, Boolean]] $ssl_cert = undef,
Optional[String] $ssl_client_cert = undef,
Optional[String] $ssl_verify_client = 'on',
Optional[String] $ssl_dhparam = undef,
Boolean $ssl_redirect = false,
Optional[Integer] $ssl_redirect_port = undef,
Optional[Variant[String, Boolean]] $ssl_key = undef,
Integer $ssl_port = 443,
+ Enum['on', 'off'] $ssl_prefer_server_ciphers = $::nginx::ssl_prefer_server_ciphers,
String $ssl_protocols = $::nginx::ssl_protocols,
$ssl_buffer_size = undef,
String $ssl_ciphers = $::nginx::ssl_ciphers,
String $ssl_cache = 'shared:SSL:10m',
Optional[String] $ssl_crl = undef,
Boolean $ssl_stapling = false,
Optional[String] $ssl_stapling_file = undef,
Optional[String] $ssl_stapling_responder = undef,
Boolean $ssl_stapling_verify = false,
String $ssl_session_timeout = '5m',
Optional[String] $ssl_session_tickets = undef,
Optional[String] $ssl_session_ticket_key = undef,
Optional[String] $ssl_trusted_cert = undef,
String $spdy = $::nginx::spdy,
$http2 = $::nginx::http2,
Optional[String] $proxy = undef,
Optional[String]$proxy_redirect = undef,
String $proxy_read_timeout = $::nginx::proxy_read_timeout,
$proxy_connect_timeout = $::nginx::proxy_connect_timeout,
Array[String] $proxy_set_header = $::nginx::proxy_set_header,
Array[String] $proxy_hide_header = $::nginx::proxy_hide_header,
Array[String] $proxy_pass_header = $::nginx::proxy_pass_header,
Optional[String] $proxy_cache = undef,
Optional[String] $proxy_cache_key = undef,
Optional[String] $proxy_cache_use_stale = undef,
Optional[Variant[Array[String], String]] $proxy_cache_valid = undef,
Optional[String] $proxy_method = undef,
Optional[String] $proxy_http_version = undef,
Optional[String] $proxy_set_body = undef,
Optional[String] $proxy_buffering = undef,
Array $resolver = [],
Optional[String] $fastcgi = undef,
$fastcgi_param = undef,
String $fastcgi_params = "${::nginx::conf_dir}/fastcgi_params",
Optional[String] $fastcgi_script = undef,
Optional[String] $uwsgi = undef,
String $uwsgi_params = "${nginx::config::conf_dir}/uwsgi_params",
Optional[String] $uwsgi_read_timeout = undef,
Array $index_files = [
'index.html',
'index.htm',
'index.php'],
Optional[String] $autoindex = undef,
Array[String] $server_name = [$name],
Optional[String] $www_root = undef,
Boolean $rewrite_www_to_non_www = false,
Optional[Hash] $location_custom_cfg = undef,
Optional[Hash] $location_cfg_prepend = undef,
Optional[Hash] $location_cfg_append = undef,
Optional[Hash] $location_custom_cfg_prepend = undef,
Optional[Hash] $location_custom_cfg_append = undef,
Optional[Array[String]] $try_files = undef,
Optional[String] $auth_basic = undef,
Optional[String] $auth_basic_user_file = undef,
Optional[String] $auth_request = undef,
Optional[String] $client_body_timeout = undef,
Optional[String] $client_header_timeout = undef,
$client_max_body_size = undef,
Optional[Variant[Array[String], String]] $raw_prepend = undef,
Optional[Variant[Array[String], String]] $raw_append = undef,
Optional[Variant[Array[String], String]] $location_raw_prepend = undef,
Optional[Variant[Array[String], String]] $location_raw_append = undef,
Optional[Hash] $server_cfg_prepend = undef,
Optional[Hash] $server_cfg_append = undef,
Optional[Hash] $server_cfg_ssl_prepend = undef,
Optional[Hash] $server_cfg_ssl_append = undef,
Optional[Array[String]] $include_files = undef,
Optional[Variant[String, Array]] $access_log = undef,
Optional[Variant[String, Array]] $error_log = undef,
$format_log = 'combined',
Optional[Hash] $passenger_cgi_param = undef,
Optional[Hash] $passenger_set_header = undef,
Optional[Hash] $passenger_env_var = undef,
Optional[Variant[Array[String], String]] $passenger_pre_start = undef,
Optional[String] $log_by_lua = undef,
Optional[String] $log_by_lua_file = undef,
$use_default_location = true,
$rewrite_rules = [],
$string_mappings = {},
$geo_mappings = {},
Optional[String] $gzip_types = undef,
String $owner = $::nginx::global_owner,
String $group = $::nginx::global_group,
String $mode = $::nginx::global_mode,
Boolean $maintenance = false,
String $maintenance_value = 'return 503',
$error_pages = undef,
Hash $locations = {}
) {
# Variables
if $::nginx::confd_only {
$server_dir = "${::nginx::conf_dir}/conf.d"
} else {
$server_dir = "${::nginx::conf_dir}/sites-available"
$server_enable_dir = "${::nginx::conf_dir}/sites-enabled"
$server_symlink_ensure = $ensure ? {
'absent' => absent,
default => 'link',
}
}
$name_sanitized = regsubst($name, ' ', '_', 'G')
$config_file = "${server_dir}/${name_sanitized}.conf"
File {
ensure => $ensure ? {
'absent' => absent,
default => 'file',
},
notify => Class['::nginx::service'],
owner => $owner,
group => $group,
mode => $mode,
}
# Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled
# and support does not exist for it in the kernel.
if ($ipv6_enable == true) and (!$::ipaddress6) {
warning('nginx: IPv6 support is not enabled or configured properly')
}
# Check to see if SSL Certificates are properly defined.
if ($ssl == true) {
if ($ssl_cert == undef) {
fail('nginx: ssl_cert must be set to false or to a fully qualified path')
}
if ($ssl_key == undef) {
fail('nginx: ssl_key must be set to false or to a fully qualified path')
}
}
concat { $config_file:
owner => $owner,
group => $group,
mode => $mode,
notify => Class['::nginx::service'],
require => File[$server_dir],
}
# This deals with a situation where the listen directive for SSL doesn't match
# the port we want to force the SSL redirect to.
if ($ssl_redirect_port) {
$_ssl_redirect_port = $ssl_redirect_port
} elsif ($ssl_port) {
$_ssl_redirect_port = $ssl_port
}
# Suppress unneded stuff in non-SSL location block when certain conditions are
# met.
if (($ssl == true) and ($ssl_port == $listen_port)) or ($ssl_redirect) {
$ssl_only = true
} else {
$ssl_only = false
}
if $use_default_location == true {
# Create the default location reference for the server
nginx::resource::location {"${name_sanitized}-default":
ensure => $ensure,
server => $name_sanitized,
ssl => $ssl,
ssl_only => $ssl_only,
location => '/',
location_satisfy => $location_satisfy,
location_allow => $location_allow,
location_deny => $location_deny,
proxy => $proxy,
proxy_redirect => $proxy_redirect,
proxy_read_timeout => $proxy_read_timeout,
proxy_connect_timeout => $proxy_connect_timeout,
proxy_cache => $proxy_cache,
proxy_cache_key => $proxy_cache_key,
proxy_cache_use_stale => $proxy_cache_use_stale,
proxy_cache_valid => $proxy_cache_valid,
proxy_method => $proxy_method,
proxy_http_version => $proxy_http_version,
proxy_set_header => $proxy_set_header,
proxy_hide_header => $proxy_hide_header,
proxy_pass_header => $proxy_pass_header,
proxy_set_body => $proxy_set_body,
proxy_buffering => $proxy_buffering,
fastcgi => $fastcgi,
fastcgi_param => $fastcgi_param,
fastcgi_params => $fastcgi_params,
fastcgi_script => $fastcgi_script,
uwsgi => $uwsgi,
uwsgi_params => $uwsgi_params,
uwsgi_read_timeout => $uwsgi_read_timeout,
try_files => $try_files,
www_root => $www_root,
autoindex => $autoindex,
index_files => $index_files,
location_custom_cfg => $location_custom_cfg,
location_cfg_prepend => $location_cfg_prepend,
location_cfg_append => $location_cfg_append,
location_custom_cfg_prepend => $location_custom_cfg_prepend,
location_custom_cfg_append => $location_custom_cfg_append,
rewrite_rules => $rewrite_rules,
raw_prepend => $location_raw_prepend,
raw_append => $location_raw_append,
notify => Class['nginx::service'],
}
$root = undef
} else {
$root = $www_root
}
if $fastcgi != undef and !defined(File[$fastcgi_params]) {
file { $fastcgi_params:
ensure => present,
mode => '0644',
content => template('nginx/server/fastcgi_params.erb'),
}
}
if $uwsgi != undef and !defined(File[$uwsgi_params]) {
file { $uwsgi_params:
ensure => present,
mode => '0644',
content => template('nginx/server/uwsgi_params.erb'),
}
}
if (($listen_port + 0) != ($ssl_port + 0)) {
concat::fragment { "${name_sanitized}-header":
target => $config_file,
content => template('nginx/server/server_header.erb'),
order => '001',
}
}
# Create a proper file close stub.
if (($listen_port + 0) != ($ssl_port + 0)) {
concat::fragment { "${name_sanitized}-footer":
target => $config_file,
content => template('nginx/server/server_footer.erb'),
order => '699',
}
}
# Create SSL File Stubs if SSL is enabled
if ($ssl == true) {
# Access and error logs are named differently in ssl template
concat::fragment { "${name_sanitized}-ssl-header":
target => $config_file,
content => template('nginx/server/server_ssl_header.erb'),
order => '700',
}
concat::fragment { "${name_sanitized}-ssl-footer":
target => $config_file,
content => template('nginx/server/server_ssl_footer.erb'),
order => '999',
}
}
unless $::nginx::confd_only {
file{ "${name_sanitized}.conf symlink":
ensure => $server_symlink_ensure,
path => "${server_enable_dir}/${name_sanitized}.conf",
target => $config_file,
require => [File[$server_dir], File[$server_enable_dir], Concat[$config_file]],
notify => Class['::nginx::service'],
}
}
create_resources('::nginx::resource::map', $string_mappings)
create_resources('::nginx::resource::geo', $geo_mappings)
create_resources('::nginx::resource::location', $locations, {
ensure => $ensure,
server => $name_sanitized,
ssl => $ssl,
ssl_only => $ssl_only,
www_root => $www_root,
})
}
diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb
index 52cb9ee..1c8bc21 100644
--- a/spec/defines/resource_mailhost_spec.rb
+++ b/spec/defines/resource_mailhost_spec.rb
@@ -1,703 +1,715 @@
require 'spec_helper'
describe 'nginx::resource::mailhost' do
let(:title) { 'www.rspec.example.com' }
let(:facts) { { ipaddress6: '::' } }
let :default_params do
{
listen_port: 25,
ipv6_enable: true
}
end
let(:pre_condition) { ['include ::nginx'] }
describe 'os-independent items' do
describe 'basic assumptions' do
let(:params) { default_params }
it { is_expected.to contain_class('nginx') }
it { is_expected.to contain_concat("/etc/nginx/conf.mail.d/#{title}.conf").that_requires('File[/etc/nginx/conf.mail.d]') }
it do
is_expected.to contain_concat("/etc/nginx/conf.mail.d/#{title}.conf").with('owner' => 'root',
'group' => 'root',
'mode' => '0644')
end
it { is_expected.to contain_concat__fragment("#{title}-header") }
it { is_expected.not_to contain_concat__fragment("#{title}-ssl") }
end
describe 'mailhost template content' do
[
{
title: 'should set the IPv4 listen IP',
attr: 'listen_ip',
value: '127.0.0.1',
match: ' listen 127.0.0.1:25;'
},
{
title: 'should set the IPv4 listen port',
attr: 'listen_port',
value: 45,
match: ' listen *:45;'
},
{
title: 'should set the IPv4 listen options',
attr: 'listen_options',
value: 'spdy default',
match: ' listen *:25 spdy default;'
},
{
title: 'should enable IPv6',
attr: 'ipv6_enable',
value: true,
match: ' listen [::]:80 default ipv6only=on;'
},
{
title: 'should not enable IPv6',
attr: 'ipv6_enable',
value: false,
notmatch: %r{ listen \[::\]:80 default ipv6only=on;}
},
{
title: 'should set the IPv6 listen IP',
attr: 'ipv6_listen_ip',
value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334',
match: ' listen [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80 default ipv6only=on;'
},
{
title: 'should set the IPv6 listen port',
attr: 'ipv6_listen_port',
value: 45,
match: ' listen [::]:45 default ipv6only=on;'
},
{
title: 'should set the IPv6 listen options',
attr: 'ipv6_listen_options',
value: 'spdy',
match: ' listen [::]:80 spdy;'
},
{
title: 'should set servername(s)',
attr: 'server_name',
value: %w(name1 name2),
match: ' server_name name1 name2;'
},
{
title: 'should set protocol',
attr: 'protocol',
value: 'test-protocol',
match: ' protocol test-protocol;'
},
{
title: 'should set xclient',
attr: 'xclient',
value: 'test-xclient',
match: ' xclient test-xclient;'
},
{
title: 'should set auth_http',
attr: 'auth_http',
value: 'test-auth_http',
match: ' auth_http test-auth_http;'
},
{
title: 'should set auth_http_header',
attr: 'auth_http_header',
value: 'X-Auth-Key "secret_string"',
match: ' auth_http_header X-Auth-Key "secret_string";'
},
{
title: 'should set starttls',
attr: 'starttls',
value: 'on',
match: ' starttls on;'
},
{
title: 'should set starttls',
attr: 'starttls',
value: 'only',
match: ' starttls only;'
},
{
title: 'should not enable SSL',
attr: 'starttls',
value: 'off',
notmatch: %r{ ssl_session_timeout 5m;}
},
{
title: 'should contain raw_prepend directives',
attr: 'raw_prepend',
value: [
'if (a) {',
' b;',
'}'
],
match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
},
{
title: 'should contain raw_append directives',
attr: 'raw_append',
value: [
'if (a) {',
' b;',
'}'
],
match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
},
{
title: 'should contain ordered prepended directives',
attr: 'mailhost_cfg_prepend',
value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' },
match: [
' test1 test value 1;',
' test2 test value 2a;',
' test2 test value 2b;',
' test3 test value 3;'
]
},
{
title: 'should contain ordered appended directives',
attr: 'mailhost_cfg_append',
value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' },
match: [
' test1 test value 1;',
' test2 test value 2a;',
' test2 test value 2b;',
' test3 test value 3;'
]
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :default_params do
{
listen_port: 25,
ipv6_enable: true,
ssl_cert: 'dummy.crt',
ssl_key: 'dummy.key'
}
end
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
end
end
end
end
describe 'mailhost template content for imap' do
[
{
title: 'should set imap_auth',
attr: 'imap_auth',
value: 'login',
match: ' imap_auth login;'
},
{
title: 'should set imap_capabilities',
attr: 'imap_capabilities',
value: ['"SIZE 52428800"', 'IMAP4rev1', 'UIDPLUS'],
match: ' imap_capabilities "SIZE 52428800" IMAP4rev1 UIDPLUS;'
},
{
title: 'should set imap_client_buffer',
attr: 'imap_client_buffer',
value: '8k',
match: ' imap_client_buffer 8k;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :default_params do
{
listen_port: 25,
ipv6_enable: true,
protocol: 'imap'
}
end
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
end
end
end
end
describe 'mailhost template content for pop3' do
[
{
title: 'should set pop3_auth',
attr: 'pop3_auth',
value: 'login',
match: ' pop3_auth login;'
},
{
title: 'should set pop3_capabilities',
attr: 'pop3_capabilities',
value: %w(TOP USER UIDL),
match: ' pop3_capabilities TOP USER UIDL;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :default_params do
{
listen_port: 25,
ipv6_enable: true,
protocol: 'pop3'
}
end
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
end
end
end
end
describe 'mailhost template content for smtp' do
[
{
title: 'should set smtp_auth',
attr: 'smtp_auth',
value: 'login',
match: ' smtp_auth login;'
},
{
title: 'should set smtp_capabilities',
attr: 'smtp_capabilities',
value: %w(8BITMIME PIPELINING HELP),
match: ' smtp_capabilities 8BITMIME PIPELINING HELP;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :default_params do
{
listen_port: 25,
ipv6_enable: true,
protocol: 'smtp'
}
end
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
end
end
end
end
describe 'mailhost template content (SSL enabled)' do
[
{
title: 'should set starttls',
attr: 'starttls',
value: 'on',
match: ' starttls on;'
},
{
title: 'should set starttls',
attr: 'starttls',
value: 'only',
match: ' starttls only;'
},
{
title: 'should not enable SSL',
attr: 'starttls',
value: 'off',
notmatch: %r{ ssl_session_timeout 5m;}
},
{
title: 'should set ssl_certificate',
attr: 'ssl_cert',
value: 'test-ssl-cert',
match: ' ssl_certificate test-ssl-cert;'
},
{
title: 'should set ssl_certificate_key',
attr: 'ssl_key',
value: 'test-ssl-cert-key',
match: ' ssl_certificate_key test-ssl-cert-key;'
},
{
title: 'should set ssl_ciphers',
attr: 'ssl_ciphers',
value: 'ECDHE-ECDSA-CHACHA20-POLY1305',
match: ' ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305;'
},
+ {
+ title: 'should set ssl_prefer_server_ciphers to on',
+ attr: 'ssl_prefer_server_ciphers',
+ value: 'on',
+ match: ' ssl_prefer_server_ciphers on;'
+ },
+ {
+ title: 'should set ssl_prefer_server_ciphers to off',
+ attr: 'ssl_prefer_server_ciphers',
+ value: 'off',
+ match: ' ssl_prefer_server_ciphers off;'
+ },
{
title: 'should set ssl_client_certificate',
attr: 'ssl_client_cert',
value: 'client-cert',
match: ' ssl_client_certificate client-cert;'
},
{
title: 'should set ssl_crl',
attr: 'ssl_crl',
value: 'crl-file',
match: ' ssl_crl crl-file;'
},
{
title: 'should set ssl_dhparam',
attr: 'ssl_dhparam',
value: 'dhparam-file',
match: ' ssl_dhparam dhparam-file;'
},
{
title: 'should set ssl_ecdh_curve',
attr: 'ssl_ecdh_curve',
value: 'secp521r1',
match: ' ssl_ecdh_curve secp521r1;'
},
{
title: 'should set ssl_client_certificate',
attr: 'ssl_client_cert',
value: 'client-cert',
match: ' ssl_client_certificate client-cert;'
},
{
title: 'should set ssl_password_file',
attr: 'ssl_password_file',
value: 'password-file',
match: ' ssl_password_file password-file;'
},
{
title: 'should set ssl_protocols',
attr: 'ssl_protocols',
value: 'TLSv1.2',
match: ' ssl_protocols TLSv1.2;'
},
{
title: 'should set ssl_session_cache',
attr: 'ssl_session_cache',
value: 'none',
match: ' ssl_session_cache none;'
},
{
title: 'should set ssl_session_ticket_key',
attr: 'ssl_session_ticket_key',
value: 'key-file',
match: ' ssl_session_ticket_key key-file;'
},
{
title: 'should set ssl_session_tickets',
attr: 'ssl_session_tickets',
value: 'on',
match: ' ssl_session_tickets on;'
},
{
title: 'should set ssl_session_timeout',
attr: 'ssl_session_timeout',
value: '20m',
match: ' ssl_session_timeout 20m;'
},
{
title: 'should set ssl_trusted_certificate',
attr: 'ssl_trusted_cert',
value: 'trust-cert',
match: ' ssl_trusted_certificate trust-cert;'
},
{
title: 'should set ssl_verify_depth',
attr: 'ssl_verify_depth',
value: 2,
match: ' ssl_verify_depth 2;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :default_params do
{
listen_port: 25,
starttls: 'on',
ssl_cert: 'dummy.crt',
ssl_key: 'dummy.key'
}
end
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
end
end
end
end
describe 'mailhost_ssl template content' do
[
{
title: 'should set the IPv4 SSL listen port',
attr: 'ssl_port',
value: 45,
match: ' listen *:45;'
},
{
title: 'should enable IPv6',
attr: 'ipv6_enable',
value: true,
match: ' listen [::]:587 default ipv6only=on;'
},
{
title: 'should not enable IPv6',
attr: 'ipv6_enable',
value: false,
notmatch: %r{ listen\s+\[::\]:587 default ipv6only=on;}
},
{
title: 'should set the IPv6 listen IP',
attr: 'ipv6_listen_ip',
value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334',
match: ' listen [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:587 default ipv6only=on;'
},
{
title: 'should set the IPv6 ssl port',
attr: 'ssl_port',
value: 45,
match: ' listen [::]:45 default ipv6only=on;'
},
{
title: 'should set the IPv6 listen options',
attr: 'ipv6_listen_options',
value: 'spdy',
match: ' listen [::]:587 spdy;'
},
{
title: 'should set servername(s)',
attr: 'server_name',
value: %w(name1 name2),
match: ' server_name name1 name2;'
},
{
title: 'should set protocol',
attr: 'protocol',
value: 'test-protocol',
match: ' protocol test-protocol;'
},
{
title: 'should set xclient',
attr: 'xclient',
value: 'test-xclient',
match: ' xclient test-xclient;'
},
{
title: 'should set auth_http',
attr: 'auth_http',
value: 'test-auth_http',
match: ' auth_http test-auth_http;'
},
{
title: 'should set auth_http_header',
attr: 'auth_http_header',
value: 'X-Auth-Key "secret_string"',
match: ' auth_http_header X-Auth-Key "secret_string";'
},
{
title: 'should set ssl_protocols',
attr: 'ssl_protocols',
value: 'test-ssl-protocol',
match: ' ssl_protocols test-ssl-protocol;'
},
{
title: 'should set ssl_ciphers',
attr: 'ssl_ciphers',
value: 'test-ssl-ciphers',
match: ' ssl_ciphers test-ssl-ciphers;'
},
{
title: 'should set ssl_certificate',
attr: 'ssl_cert',
value: 'test-ssl-cert',
match: ' ssl_certificate test-ssl-cert;'
},
{
title: 'should set ssl_certificate_key',
attr: 'ssl_key',
value: 'test-ssl-cert-key',
match: ' ssl_certificate_key test-ssl-cert-key;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :default_params do
{
listen_port: 25,
ssl_port: 587,
ipv6_enable: true,
ssl: true,
ssl_protocols: 'default-protocols',
ssl_ciphers: 'default-ciphers',
ssl_cert: 'dummy.crt',
ssl_key: 'dummy.key'
}
end
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-ssl") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
end
end
end
end
context 'attribute resources' do
context 'SSL cert missing and ssl => true' do
let(:params) do
default_params.merge(
ssl: true, ssl_key: 'key'
)
end
it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) }
end
context 'SSL key missing and ssl => true' do
let :params do
default_params.merge(ssl: true,
ssl_cert: 'cert')
end
it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) }
end
context "SSL cert missing and starttls => 'on'" do
let :params do
default_params.merge(starttls: 'on',
ssl_key: 'key')
end
it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) }
end
context "SSL key missing and starttls => 'on'" do
let :params do
default_params.merge(starttls: 'on',
ssl_cert: 'cert')
end
it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) }
end
context "SSL cert missing and starttls => 'only'" do
let :params do
default_params.merge(starttls: 'only',
ssl_key: 'key')
end
it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) }
end
context "SSL key missing and starttls => 'only'" do
let :params do
default_params.merge(starttls: 'only',
ssl_cert: 'cert')
end
it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) }
end
context 'when listen_port != ssl_port' do
let :params do
default_params.merge(listen_port: 80,
ssl_port: 443)
end
it { is_expected.to contain_concat__fragment("#{title}-header") }
end
context 'when listen_port != "ssl_port"' do
let :params do
default_params.merge(listen_port: 80,
ssl_port: 443)
end
it { is_expected.to contain_concat__fragment("#{title}-header") }
end
context 'when listen_port == ssl_port' do
let :params do
default_params.merge(listen_port: 80,
ssl_port: 80)
end
it { is_expected.not_to contain_concat__fragment("#{title}-header") }
end
context 'when listen_port == "ssl_port"' do
let :params do
default_params.merge(listen_port: 80,
ssl_port: 80)
end
it { is_expected.not_to contain_concat__fragment("#{title}-header") }
end
context 'when ssl => true' do
let :params do
default_params.merge(ensure: 'absent',
ssl: true,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it { is_expected.to contain_concat__fragment("#{title}-header") }
it { is_expected.to contain_concat__fragment("#{title}-ssl") }
end
context 'when ssl => false' do
let :params do
default_params.merge(ensure: 'absent',
ssl: false)
end
it { is_expected.to contain_concat__fragment("#{title}-header") }
it { is_expected.not_to contain_concat__fragment("#{title}-ssl") }
end
end
end
end
diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb
index de588f1..5c55722 100644
--- a/spec/defines/resource_server_spec.rb
+++ b/spec/defines/resource_server_spec.rb
@@ -1,1175 +1,1187 @@
require 'spec_helper'
describe 'nginx::resource::server' do
let :title do
'www.rspec.example.com'
end
let :default_params do
{
www_root: '/',
ipv6_enable: true,
listen_unix_socket_enable: true
}
end
let :facts do
{
ipaddress6: '::'
}
end
let :pre_condition do
[
'include ::nginx'
]
end
describe 'os-independent items' do
describe 'basic assumptions' do
let(:params) { default_params }
it { is_expected.to contain_class('nginx') }
it do
is_expected.to contain_concat("/etc/nginx/sites-available/#{title}.conf").with('owner' => 'root',
'group' => 'root',
'mode' => '0644')
end
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{access_log\s+/var/log/nginx/www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{error_log\s+/var/log/nginx/www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-footer") }
it { is_expected.to contain_nginx__resource__location("#{title}-default") }
it { is_expected.not_to contain_file('/etc/nginx/fastcgi_params') }
it do
is_expected.to contain_file("#{title}.conf symlink").with('ensure' => 'link',
'path' => "/etc/nginx/sites-enabled/#{title}.conf",
'target' => "/etc/nginx/sites-available/#{title}.conf")
end
end
describe 'with $confd_only enabled' do
let(:pre_condition) { 'class { "nginx": confd_only => true }' }
let(:params) { default_params }
it { is_expected.to contain_class('nginx') }
it do
is_expected.to contain_concat("/etc/nginx/conf.d/#{title}.conf").with('owner' => 'root',
'group' => 'root',
'mode' => '0644')
is_expected.not_to contain_file('/etc/nginx/sites-enabled')
is_expected.not_to contain_file('/etc/nginx/sites-available')
end
end
describe 'server_header template content' do
[
{
title: 'should not contain www to non-www rewrite',
attr: 'rewrite_www_to_non_www',
value: false,
notmatch: %r{
^
\s+server_name\s+www\.rspec\.example\.com;\n
\s+return\s+301\s+http://rspec\.example\.com\$request_uri;
}x
},
{
title: 'should contain www to non-www rewrite',
attr: 'rewrite_www_to_non_www',
value: true,
match: %r{
^
\s+server_name\s+www\.rspec\.example\.com;\n
\s+return\s+301\s+http://rspec\.example\.com\$request_uri;
}x
},
{
title: 'should set the IPv4 listen IP',
attr: 'listen_ip',
value: '127.0.0.1',
match: %r{\s+listen\s+127.0.0.1:80;}
},
{
title: 'should set the IPv4 listen port',
attr: 'listen_port',
value: 45,
match: %r{\s+listen\s+\*:45;}
},
{
title: 'should set the IPv4 listen options',
attr: 'listen_options',
value: 'spdy default',
match: %r{\s+listen\s+\*:80 spdy default;}
},
{
title: 'should enable IPv6',
attr: 'ipv6_enable',
value: true,
match: %r{\s+listen\s+\[::\]:80 default ipv6only=on;}
},
{
title: 'should not enable IPv6',
attr: 'ipv6_enable',
value: false,
notmatch: %r{\slisten \[::\]:80 default ipv6only=on;}
},
{
title: 'should set the IPv6 listen IP',
attr: 'ipv6_listen_ip',
value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334',
match: %r{\s+listen\s+\[2001:0db8:85a3:0000:0000:8a2e:0370:7334\]:80 default ipv6only=on;}
},
{
title: 'should set the IPv6 listen port',
attr: 'ipv6_listen_port',
value: 45,
match: %r{\s+listen\s+\[::\]:45 default ipv6only=on;}
},
{
title: 'should set the IPv6 listen options',
attr: 'ipv6_listen_options',
value: 'spdy',
match: %r{\s+listen\s+\[::\]:80 spdy;}
},
{
title: 'should enable listening on unix socket',
attr: 'listen_unix_socket_enable',
value: true,
match: %r{\s+listen\s+unix:/var/run/nginx\.sock;}
},
{
title: 'should not enable listening on unix socket',
attr: 'listen_unix_socket_enable',
value: false,
notmatch: %r{\s+listen\s+unix:/var/run/nginx\.sock;}
},
{
title: 'should set the listen unix socket',
attr: 'listen_unix_socket',
value: '/var/run/puppet_nginx.sock',
match: %r{\s+listen\s+unix:/var/run/puppet_nginx\.sock;}
},
{
title: 'should set the listen unix socket options',
attr: 'listen_unix_socket_options',
value: 'spdy',
match: %r{\s+listen\s+unix:/var/run/nginx\.sock spdy;}
},
{
title: 'should set servername(s)',
attr: 'server_name',
value: ['www.foo.com', 'foo.com'],
match: %r{\s+server_name\s+www.foo.com foo.com;}
},
{
title: 'should rewrite www servername to non-www',
attr: 'rewrite_www_to_non_www',
value: true,
match: %r{\s+server_name\s+rspec.example.com;}
},
{
title: 'should not rewrite www servername to non-www',
attr: 'rewrite_www_to_non_www',
value: false,
match: %r{\s+server_name\s+www.rspec.example.com;}
},
{
title: 'should set auth_basic',
attr: 'auth_basic',
value: 'value',
match: %r{\s+auth_basic\s+"value";}
},
{
title: 'should set auth_basic_user_file',
attr: 'auth_basic_user_file',
value: 'value',
match: %r{\s+auth_basic_user_file\s+value;}
},
{
title: 'should set auth_request',
attr: 'auth_request',
value: 'value',
match: %r{\s+auth_request\s+value;}
},
{
title: 'should set the client_body_timeout',
attr: 'client_body_timeout',
value: 'value',
match: %r{^\s+client_body_timeout\s+value;}
},
{
title: 'should set the client_header_timeout',
attr: 'client_header_timeout',
value: 'value',
match: %r{^\s+client_header_timeout\s+value;}
},
{
title: 'should set the gzip_types',
attr: 'gzip_types',
value: 'value',
match: %r{^\s+gzip_types\s+value;}
},
{
title: 'should contain raw_prepend directives',
attr: 'raw_prepend',
value: [
'if (a) {',
' b;',
'}'
],
match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
},
{
title: 'should contain ordered prepended directives',
attr: 'server_cfg_prepend',
value: { 'test1' => ['test value 1a', 'test value 1b'], 'test2' => 'test value 2', 'allow' => 'test value 3' },
match: [
' allow test value 3;',
' test1 test value 1a;',
' test1 test value 1b;',
' test2 test value 2;'
]
},
{
title: 'should set root',
attr: 'use_default_location',
value: false,
match: ' root /;'
},
{
title: 'should not set root',
attr: 'use_default_location',
value: true,
notmatch: %r{ root /;}
},
{
title: 'should force https (SSL) redirect',
attr: 'ssl_redirect',
value: true,
match: %r{ return 301 https://\$host\$request_uri;}
},
{
title: 'should not force https (SSL) redirect',
attr: 'ssl_redirect',
value: false,
notmatch: %r{\s*return\s+301}
},
{
title: 'should set access_log',
attr: 'access_log',
value: '/path/to/access.log',
match: ' access_log /path/to/access.log combined;'
},
{
title: 'should set multiple access_log directives',
attr: 'access_log',
value: ['/path/to/log/1', 'syslog:server=localhost'],
match: [
' access_log /path/to/log/1 combined;',
' access_log syslog:server=localhost combined;'
]
},
{
title: 'should set access_log off',
attr: 'access_log',
value: 'off',
match: ' access_log off;'
},
{
title: 'should set access_log to syslog',
attr: 'access_log',
value: 'syslog:server=localhost',
match: ' access_log syslog:server=localhost combined;'
},
{
title: 'should set format_log custom_format',
attr: 'format_log',
value: 'custom',
match: ' access_log /var/log/nginx/www.rspec.example.com.access.log custom;'
},
{
title: 'should not include access_log in server when set to absent',
attr: 'access_log',
value: 'absent',
notmatch: 'access_log'
},
{
title: 'should set error_log',
attr: 'error_log',
value: '/path/to/error.log',
match: ' error_log /path/to/error.log;'
},
{
title: 'should allow multiple error_log directives',
attr: 'error_log',
value: ['/path/to/error.log', 'syslog:server=localhost'],
match: [
' error_log /path/to/error.log;',
' error_log syslog:server=localhost;'
]
},
{
title: 'should not include error_log in server when set to absent',
attr: 'error_log',
value: 'absent',
notmatch: 'error_log'
},
{
title: 'should set error_pages',
attr: 'error_pages',
value: { '503' => '/foo.html' },
match: ' error_page 503 /foo.html;'
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
Array(param[:notmatch]).each do |item|
is_expected.to contain_concat__fragment("#{title}-header").without_content(item)
end
end
end
end
end
describe 'server_footer template content' do
[
{
title: 'should not contain www to non-www rewrite',
attr: 'rewrite_www_to_non_www',
value: false,
notmatch: %r{
^
\s+server_name\s+www\.rspec\.example\.com;\n
\s+return\s+301\s+https://rspec\.example\.com\$request_uri;
}x
},
{
title: 'should contain include directives',
attr: 'include_files',
value: ['/file1', '/file2'],
match: [
%r{^\s+include\s+/file1;},
%r{^\s+include\s+/file2;}
]
},
{
title: 'should contain ordered appended directives',
attr: 'server_cfg_append',
value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' },
match: [
' allow test value 3;',
' test1 test value 1;',
' test2 test value 2a;',
' test2 test value 2b;'
]
},
{
title: 'should contain raw_append directives',
attr: 'raw_append',
value: [
'if (a) {',
' b;',
'}'
],
match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) }
it { is_expected.to contain_concat__fragment("#{title}-footer") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-footer").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-footer").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
Array(param[:notmatch]).each do |item|
is_expected.to contain_concat__fragment("#{title}-footer").without_content(item)
end
end
end
end
end
describe 'server_ssl_header template content' do
[
{
title: 'should not contain www to non-www rewrite',
attr: 'rewrite_www_to_non_www',
value: false,
notmatch: %r{
^
\s+server_name\s+www\.rspec\.example\.com;\n
\s+return\s+301\s+https://rspec\.example\.com\$request_uri;
}x
},
{
title: 'should contain www to non-www rewrite',
attr: 'rewrite_www_to_non_www',
value: true,
match: %r{
^
\s+server_name\s+www\.rspec\.example\.com;\n
\s+return\s+301\s+https://rspec\.example\.com\$request_uri;
}x
},
{
title: 'should set the IPv4 listen IP',
attr: 'listen_ip',
value: '127.0.0.1',
match: %r{\s+listen\s+127.0.0.1:443 ssl;}
},
{
title: 'should set the IPv4 SSL listen port',
attr: 'ssl_port',
value: 45,
match: %r{\s+listen\s+\*:45 ssl;}
},
{
title: 'should set SPDY',
attr: 'spdy',
value: 'on',
match: %r{\s+listen\s+\*:443 ssl spdy;}
},
{
title: 'should not set SPDY',
attr: 'spdy',
value: 'off',
match: %r{\s+listen\s+\*:443 ssl;}
},
{
title: 'should set HTTP2',
attr: 'http2',
value: 'on',
match: %r{\s+listen\s+\*:443 ssl http2;}
},
{
title: 'should not set HTTP2',
attr: 'http2',
value: 'off',
match: %r{\s+listen\s+\*:443 ssl;}
},
{
title: 'should set the IPv4 listen options',
attr: 'listen_options',
value: 'default',
match: %r{\s+listen\s+\*:443 ssl default;}
},
{
title: 'should enable IPv6',
attr: 'ipv6_enable',
value: true,
match: %r{\s+listen\s+\[::\]:443 ssl default ipv6only=on;}
},
{
title: 'should disable IPv6',
attr: 'ipv6_enable',
value: false,
notmatch: %r{ listen \[::\]:443 ssl default ipv6only=on;}
},
{
title: 'should set the IPv6 listen IP',
attr: 'ipv6_listen_ip',
value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334',
match: %r{\s+listen\s+\[2001:0db8:85a3:0000:0000:8a2e:0370:7334\]:443 ssl default ipv6only=on;}
},
{
title: 'should set the IPv6 listen port',
attr: 'ssl_port',
value: 45,
match: %r{\s+listen\s+\[::\]:45 ssl default ipv6only=on;}
},
{
title: 'should set the IPv6 listen options',
attr: 'ipv6_listen_options',
value: 'spdy default',
match: %r{\s+listen\s+\[::\]:443 ssl spdy default;}
},
{
title: 'should set servername(s)',
attr: 'server_name',
value: ['www.foo.com', 'foo.com'],
match: %r{\s+server_name\s+www.foo.com foo.com;}
},
{
title: 'should rewrite www servername to non-www',
attr: 'rewrite_www_to_non_www',
value: true,
match: %r{\s+server_name\s+rspec.example.com;}
},
{
title: 'should not rewrite www servername to non-www',
attr: 'rewrite_www_to_non_www',
value: false,
match: %r{\s+server_name\s+www.rspec.example.com;}
},
{
title: 'should set the SSL buffer size',
attr: 'ssl_buffer_size',
value: '4k',
match: ' ssl_buffer_size 4k;'
},
{
title: 'should set the SSL client certificate file',
attr: 'ssl_client_cert',
value: '/tmp/client_certificate',
match: %r{\s+ssl_client_certificate\s+/tmp/client_certificate;}
},
{
title: 'should set the SSL CRL file',
attr: 'ssl_crl',
value: '/tmp/crl',
match: %r{\s+ssl_crl\s+/tmp/crl;}
},
{
title: 'should set the SSL DH parameters file',
attr: 'ssl_dhparam',
value: '/tmp/dhparam',
match: %r{\s+ssl_dhparam\s+/tmp/dhparam;}
},
{
title: 'should set the SSL stapling file',
attr: 'ssl_stapling_file',
value: '/tmp/stapling_file',
match: %r{\s+ssl_stapling_file\s+/tmp/stapling_file;}
},
{
title: 'should set the SSL trusted certificate file',
attr: 'ssl_trusted_cert',
value: '/tmp/trusted_certificate',
match: %r{\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;}
},
{
title: 'should set the SSL cache',
attr: 'ssl_cache',
value: 'shared:SSL:1m',
match: %r{\s+ssl_session_cache\s+shared:SSL:1m;}
},
{
title: 'should set the SSL timeout',
attr: 'ssl_session_timeout',
value: '30m',
match: ' ssl_session_timeout 30m;'
},
{
title: 'should set the SSL protocols',
attr: 'ssl_protocols',
value: 'TLSv1',
match: %r{\s+ssl_protocols\s+TLSv1;}
},
{
title: 'should set the SSL ciphers',
attr: 'ssl_ciphers',
value: 'HIGH',
match: %r{\s+ssl_ciphers\s+HIGH;}
},
+ {
+ title: 'should set ssl_prefer_server_ciphers on',
+ attr: 'ssl_prefer_server_ciphers',
+ value: 'on',
+ match: %r{\s+ssl_prefer_server_ciphers\s+on;}
+ },
+ {
+ title: 'should set ssl_prefer_server_ciphers off',
+ attr: 'ssl_prefer_server_ciphers',
+ value: 'off',
+ match: %r{\s+ssl_prefer_server_ciphers\s+off;}
+ },
{
title: 'should set auth_basic',
attr: 'auth_basic',
value: 'value',
match: %r{\s+auth_basic\s+"value";}
},
{
title: 'should set auth_basic_user_file',
attr: 'auth_basic_user_file',
value: 'value',
match: %r{\s+auth_basic_user_file\s+"value";}
},
{
title: 'should set auth_request',
attr: 'auth_request',
value: 'value',
match: %r{\s+auth_request\s+value;}
},
{
title: 'should set the client_body_timeout',
attr: 'client_body_timeout',
value: 'value',
match: %r{^\s+client_body_timeout\s+value;}
},
{
title: 'should set the client_header_timeout',
attr: 'client_header_timeout',
value: 'value',
match: %r{^\s+client_header_timeout\s+value;}
},
{
title: 'should set the gzip_types',
attr: 'gzip_types',
value: 'value',
match: %r{^\s+gzip_types\s+value;}
},
{
title: 'should set access_log',
attr: 'access_log',
value: '/path/to/access.log',
match: ' access_log /path/to/access.log combined;'
},
{
title: 'should set multiple access_log directives',
attr: 'access_log',
value: ['/path/to/log/1', 'syslog:server=localhost'],
match: [
' access_log /path/to/log/1 combined;',
' access_log syslog:server=localhost combined;'
]
},
{
title: 'should set access_log off',
attr: 'access_log',
value: 'off',
match: ' access_log off;'
},
{
title: 'should not include access_log in server when set to absent',
attr: 'access_log',
value: 'absent',
notmatch: 'access_log'
},
{
title: 'should set access_log to syslog',
attr: 'access_log',
value: 'syslog:server=localhost',
match: ' access_log syslog:server=localhost combined;'
},
{
title: 'should set format_log custom_format',
attr: 'format_log',
value: 'custom',
match: ' access_log /var/log/nginx/ssl-www.rspec.example.com.access.log custom;'
},
{
title: 'should set error_log',
attr: 'error_log',
value: '/path/to/error.log',
match: ' error_log /path/to/error.log;'
},
{
title: 'should allow multiple error_log directives',
attr: 'error_log',
value: ['/path/to/error.log', 'syslog:server=localhost'],
match: [
' error_log /path/to/error.log;',
' error_log syslog:server=localhost;'
]
},
{
title: 'should not include error_log in server when set to absent',
attr: 'error_log',
value: 'absent',
notmatch: 'error_log'
},
{
title: 'should set error_pages',
attr: 'error_pages',
value: { '503' => '/foo.html' },
match: ' error_page 503 /foo.html;'
},
{
title: 'should contain raw_prepend directives',
attr: 'raw_prepend',
value: [
'if (a) {',
' b;',
'}'
],
match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
},
{
title: 'should contain ordered prepend directives',
attr: 'server_cfg_prepend',
value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' },
match: [
' allow test value 3;',
' test1 test value 1;',
' test2 test value 2a;',
' test2 test value 2b;'
]
},
{
title: 'should contain ordered ssl prepend directives',
attr: 'server_cfg_ssl_prepend',
value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' },
match: [
' allow test value 3;',
' test1 test value 1;',
' test2 test value 2a;',
' test2 test value 2b;'
]
},
{
title: 'should set root',
attr: 'use_default_location',
value: false,
match: ' root /;'
},
{
title: 'should not set root',
attr: 'use_default_location',
value: true,
notmatch: %r{ root /;}
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :params do
default_params.merge(param[:attr].to_sym => param[:value],
:ssl => true,
:ssl_key => 'dummy.key',
:ssl_cert => 'dummy.crt')
end
it { is_expected.to contain_concat__fragment("#{title}-ssl-header") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-ssl-header").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
Array(param[:notmatch]).each do |item|
is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(item)
end
end
end
end
end
describe 'server_ssl_footer template content' do
[
{
title: 'should not contain www to non-www rewrite',
attr: 'rewrite_www_to_non_www',
value: false,
notmatch: %r{
^
\s+server_name\s+www\.rspec\.example\.com;\n
\s+return\s+301\s+https://rspec\.example\.com\$request_uri;
}x
},
{
title: 'should contain include directives',
attr: 'include_files',
value: ['/file1', '/file2'],
match: [
%r{^\s+include\s+/file1;},
%r{^\s+include\s+/file2;}
]
},
{
title: 'should contain ordered appended directives',
attr: 'server_cfg_append',
value: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'allow' => 'test value 3' },
match: [
' allow test value 3;',
' test1 test value 1;',
' test2 test value 2;'
]
},
{
title: 'should contain raw_append directives',
attr: 'raw_append',
value: [
'if (a) {',
' b;',
'}'
],
match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
},
{
title: 'should contain ordered ssl appended directives',
attr: 'server_cfg_ssl_append',
value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' },
match: [
' allow test value 3;',
' test1 test value 1;',
' test2 test value 2a;',
' test2 test value 2b;'
]
}
].each do |param|
context "when #{param[:attr]} is #{param[:value]}" do
let :params do
default_params.merge(param[:attr].to_sym => param[:value],
:ssl => true,
:ssl_key => 'dummy.key',
:ssl_cert => 'dummy.crt')
end
it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") }
it param[:title] do
matches = Array(param[:match])
if matches.all? { |m| m.is_a? Regexp }
matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl-footer").with_content(item) }
else
lines = catalogue.resource('concat::fragment', "#{title}-ssl-footer").send(:parameters)[:content].split("\n")
expect(lines & Array(param[:match])).to eq(Array(param[:match]))
end
Array(param[:notmatch]).each do |item|
is_expected.to contain_concat__fragment("#{title}-ssl-footer").without_content(item)
end
end
end
end
end
context 'attribute resources' do
context 'with SSL enabled, www rewrite to naked domain with multiple server_names' do
let(:title) { 'foo.com' }
let(:params) do
{
ssl: true,
ssl_cert: 'cert',
ssl_key: 'key',
server_name: %w(www.foo.com bar.foo.com foo.com),
use_default_location: false,
rewrite_www_to_non_www: true
}
end
it "sets the server_name of the rewrite server stanza to every server_name with 'www.' stripped" do
is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{^\s+server_name\s+foo.com\s+bar.foo.com\s+foo.com;})
end
end
context 'with SSL disabled, www rewrite to naked domain with multiple server_names' do
let(:title) { 'foo.com' }
let(:params) do
{
server_name: %w(www.foo.com bar.foo.com foo.com),
use_default_location: false,
rewrite_www_to_non_www: true
}
end
it "sets the server_name of the rewrite server stanza to every server_name with 'www.' stripped" do
is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{^\s+server_name\s+foo.com\s+bar.foo.com\s+foo.com;})
end
end
context 'ssl_redirect' do
let(:params) { { ssl_redirect: true } }
it { is_expected.to contain_concat__fragment("#{title}-header").without_content(%r{^\s*index\s+}) }
it { is_expected.to contain_concat__fragment("#{title}-header").without_content(%r{^\s*location\s+}) }
end
context 'ssl_redirect with alternate port' do
let(:params) { { ssl_redirect: true, ssl_port: 8888 } }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host:8888\$request_uri;}) }
end
context 'ssl_redirect with standard port set explicitly' do
let(:params) { { ssl_redirect: true, ssl_port: 443 } }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host\$request_uri;}) }
end
context 'ssl_redirect with overridden port' do
let(:params) { { ssl_redirect: true, ssl_redirect_port: 8878 } }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host:8878\$request_uri;}) }
end
context 'ssl_redirect with ssl_port set and overridden redirect port' do
let(:params) do
{
ssl_redirect: true,
ssl_redirect_port: 9787,
ssl_port: 9783
}
end
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host:9787\$request_uri;}) }
end
context 'ssl_redirect should set ssl_only' do
let(:params) { { ssl_redirect: true } }
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
end
context 'SSL cert and key are both set to fully qualified paths' do
let(:params) { { ssl: true, ssl_cert: '/tmp/foo.crt', ssl_key: '/tmp/foo.key:' } }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+/tmp/foo.crt}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+/tmp/foo.key}) }
end
context 'SSL cert and key are both set to false' do
let(:params) { { ssl: true, ssl_cert: false, ssl_key: false } }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(%r{ssl_certificate}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(%r{ssl_certificate_key}) }
end
context 'when use_default_location => true' do
let :params do
default_params.merge(use_default_location: true)
end
it { is_expected.to contain_nginx__resource__location("#{title}-default") }
end
context 'when use_default_location => false' do
let :params do
default_params.merge(use_default_location: false)
end
it { is_expected.not_to contain_nginx__resource__location("#{title}-default") }
end
context 'when location_cfg_prepend => { key => value }' do
let :params do
default_params.merge(location_cfg_prepend: { 'key' => 'value' })
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_location_cfg_prepend('key' => 'value') }
end
context "when location_raw_prepend => [ 'foo;' ]" do
let :params do
default_params.merge(location_raw_prepend: ['foo;'])
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_raw_prepend(['foo;']) }
end
context "when location_raw_append => [ 'foo;' ]" do
let :params do
default_params.merge(location_raw_append: ['foo;'])
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_raw_append(['foo;']) }
end
context 'when location_cfg_append => { key => value }' do
let :params do
default_params.merge(location_cfg_append: { 'key' => 'value' })
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_location_cfg_append('key' => 'value') }
end
context 'when fastcgi => "localhost:9000"' do
let :params do
default_params.merge(fastcgi: 'localhost:9000')
end
it { is_expected.to contain_file('/etc/nginx/fastcgi_params').with_mode('0644') }
end
context 'when fastcgi_param => {key => value}' do
let :params do
default_params.merge(fastcgi_param: { 'key' => 'value' })
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_fastcgi_param('key' => 'value') }
end
context 'when uwsgi => "uwsgi_upstream"' do
let :params do
default_params.merge(uwsgi: 'uwsgi_upstream')
end
it { is_expected.to contain_file('/etc/nginx/uwsgi_params').with_mode('0644') }
end
context 'when listen_port == ssl_port' do
let :params do
default_params.merge(listen_port: 80,
ssl_port: 80)
end
it { is_expected.not_to contain_concat__fragment("#{title}-header") }
it { is_expected.not_to contain_concat__fragment("#{title}-footer") }
end
context 'when listen_port != ssl_port' do
let :params do
default_params.merge(listen_port: 80,
ssl_port: 443)
end
it { is_expected.to contain_concat__fragment("#{title}-header") }
it { is_expected.to contain_concat__fragment("#{title}-footer") }
end
context 'when ensure => absent' do
let :params do
default_params.merge(ensure: 'absent',
ssl: true,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ensure('absent') }
it { is_expected.to contain_file("#{title}.conf symlink").with_ensure('absent') }
end
context 'when ssl => true and ssl_port == listen_port' do
let :params do
default_params.merge(ssl: true,
listen_port: 80,
ssl_port: 80,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+dummy.cert;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+dummy.key;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") }
end
context 'when ssl_client_cert is set' do
let :params do
default_params.merge(ssl: true,
listen_port: 80,
ssl_port: 80,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert',
ssl_client_cert: 'client.cert',
ssl_verify_client: 'optional')
end
it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client\s+optional;}) }
end
context 'when passenger_cgi_param is set' do
let :params do
default_params.merge(passenger_cgi_param: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' })
end
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_cgi_param test1 test value 1;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_cgi_param test2 test value 2;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_cgi_param test3 test value 3;}) }
end
context 'when passenger_cgi_param is set and ssl => true' do
let :params do
default_params.merge(passenger_cgi_param: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' },
ssl: true,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_cgi_param test1 test value 1;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_cgi_param test2 test value 2;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_cgi_param test3 test value 3;}) }
end
context 'when passenger_set_header is set' do
let :params do
default_params.merge(passenger_set_header: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' })
end
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_header test1 test value 1;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_header test2 test value 2;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_header test3 test value 3;}) }
end
context 'when passenger_set_header is set and ssl => true' do
let :params do
default_params.merge(passenger_set_header: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' },
ssl: true,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_header test1 test value 1;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_header test2 test value 2;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_header test3 test value 3;}) }
end
context 'when passenger_env_var is set' do
let :params do
default_params.merge(passenger_env_var: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' })
end
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_env_var test1 test value 1;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_env_var test2 test value 2;}) }
it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_env_var test3 test value 3;}) }
end
context 'when passenger_env_var is set and ssl => true' do
let :params do
default_params.merge(passenger_env_var: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' },
ssl: true,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_env_var test1 test value 1;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_env_var test2 test value 2;}) }
it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_env_var test3 test value 3;}) }
end
context 'when passenger_pre_start is a string' do
let :params do
default_params.merge(passenger_pre_start: 'http://example.com:80/test/me')
end
it { is_expected.to contain_concat__fragment("#{title}-footer").with_content(%r{passenger_pre_start http://example.com:80/test/me;}) }
end
context 'when passenger_pre_start is an array' do
let :params do
default_params.merge(passenger_pre_start: ['http://example.com:80/test/me', 'http://example.com:3009/foo/bar'])
end
it { is_expected.to contain_concat__fragment("#{title}-footer").with_content(%r{passenger_pre_start http://example.com:80/test/me;}) }
it { is_expected.to contain_concat__fragment("#{title}-footer").with_content(%r{passenger_pre_start http://example.com:3009/foo/bar;}) }
end
context 'when server name is sanitized' do
let(:title) { 'www rspec-server com' }
let(:params) { default_params }
it { is_expected.to contain_concat('/etc/nginx/sites-available/www_rspec-server_com.conf') }
end
context 'when add_header is set' do
let :params do
default_params.merge(add_header: { 'header3' => 'test value 3', 'header2' => 'test value 2', 'header1' => 'test value 1' })
end
it 'has correctly ordered entries in the config' do
is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{\s+add_header\s+"header1" "test value 1";\n\s+add_header\s+"header2" "test value 2";\n\s+add_header\s+"header3" "test value 3";\n})
end
end
context 'when add_header is set and ssl => true' do
let :params do
default_params.merge(add_header: { 'header3' => 'test value 3', 'header2' => 'test value 2', 'header1' => 'test value 1' },
ssl: true,
ssl_key: 'dummy.key',
ssl_cert: 'dummy.cert')
end
it 'has correctly ordered entries in the config' do
is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{\s+add_header\s+"header1" "test value 1";\n\s+add_header\s+"header2" "test value 2";\n\s+add_header\s+"header3" "test value 3";\n})
end
end
end
end
end
diff --git a/templates/mailhost/mailhost_ssl_settings.erb b/templates/mailhost/mailhost_ssl_settings.erb
index ef8e750..551ed59 100644
--- a/templates/mailhost/mailhost_ssl_settings.erb
+++ b/templates/mailhost/mailhost_ssl_settings.erb
@@ -1,38 +1,38 @@
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
ssl_ciphers <%= @ssl_ciphers %>;
<% if defined? @ssl_client_cert -%>
ssl_client_certificate <%= @ssl_client_cert %>;
ssl_verify_client on;
<% end -%>
<%- if defined? @ssl_verify_depth -%>
ssl_verify_depth <%= @ssl_verify_depth %>;
<%- end -%>
<% if @ssl_crl -%>
ssl_crl <%= @ssl_crl %>;
<% end -%>
<% if defined? @ssl_dhparam -%>
ssl_dhparam <%= @ssl_dhparam %>;
<% end -%>
<%- if defined? @ssl_ecdh_curve -%>
ssl_ecdh_curve <%= @ssl_ecdh_curve %>;
<%- end -%>
<%- if defined? @ssl_password_file -%>
ssl_password_file <%= @ssl_password_file %>;
<%- end -%>
- ssl_prefer_server_ciphers on;
+ ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
ssl_protocols <%= @ssl_protocols %>;
<% if defined? @ssl_session_cache -%>
ssl_session_cache <%= @ssl_session_cache %>;
<% end -%>
<%- if defined? @ssl_session_ticket_key -%>
ssl_session_ticket_key <%= @ssl_session_ticket_key %>;
<%- end -%>
<%- if defined? @ssl_session_tickets -%>
ssl_session_tickets <%= @ssl_session_tickets %>;
<%- end -%>
ssl_session_timeout <%= @ssl_session_timeout %>;
<%- if defined? @ssl_trusted_cert -%>
ssl_trusted_certificate <%= @ssl_trusted_cert %>;
<%- end -%>
diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
index 1229eda..f46cde2 100644
--- a/templates/server/server_ssl_settings.erb
+++ b/templates/server/server_ssl_settings.erb
@@ -1,49 +1,49 @@
ssl on;
<% if @ssl_cert -%>
ssl_certificate <%= @ssl_cert %>;
<% end -%>
<% if @ssl_key -%>
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
<% if defined? @ssl_client_cert -%>
ssl_client_certificate <%= @ssl_client_cert %>;
ssl_verify_client <%= @ssl_verify_client %>;
<% end -%>
<% if defined? @ssl_dhparam -%>
ssl_dhparam <%= @ssl_dhparam %>;
<% end -%>
ssl_session_cache <%= @ssl_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
<% if @ssl_session_tickets -%>
ssl_session_tickets <%= @ssl_session_tickets %>;
<% end -%>
<% if @ssl_session_ticket_key -%>
ssl_session_ticket_key <%= @ssl_session_ticket_key %>;
<% end -%>
<% if @ssl_buffer_size -%>
ssl_buffer_size <%= @ssl_buffer_size %>;
<% end -%>
ssl_protocols <%= @ssl_protocols %>;
ssl_ciphers <%= @ssl_ciphers %>;
- ssl_prefer_server_ciphers on;
+ ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
<% if @ssl_crl -%>
ssl_crl <%= @ssl_crl %>;
<% end -%>
<%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%>
<%- if @ssl_stapling -%>
ssl_stapling on;
<%- end -%>
<%- if defined? @ssl_stapling_file -%>
ssl_stapling_file <%= @ssl_stapling_file %>;
<%- end -%>
<%- if defined? @ssl_stapling_responder -%>
ssl_stapling_responder <%= @ssl_stapling_responder %>;
<%- end -%>
<%- if @ssl_stapling_verify -%>
ssl_stapling_verify on;
<%- end -%>
<%- if defined? @ssl_trusted_cert -%>
ssl_trusted_certificate <%= @ssl_trusted_cert %>;
<%- end -%>
<% end -%>

File Metadata

Mime Type
text/x-diff
Expires
Mon, Aug 18, 11:35 PM (1 w, 7 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3333324

Event Timeline

About · Developer information · Legal