diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp index 654480b..2afb41d 100644 --- a/manifests/resource/server.pp +++ b/manifests/resource/server.pp @@ -1,480 +1,483 @@ # define: nginx::resource::server # # This definition creates a virtual host # # Parameters: # [*ensure*] - Enables or disables the specified server (present|absent) # [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) # [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80 # [*listen_options*] - Extra options for listen directive like 'default_server' to catchall. Undef by default. # [*listen_unix_socket_enable*] - BOOL value to enable/disable UNIX socket listening support (false|true). # [*listen_unix_socket*] - Default unix socket for NGINX to listen with this server on. Defaults to UNIX /var/run/nginx.sock # [*listen_unix_socket_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. # [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access. # [*location_allow*] - Array: Locations to allow connections from. # [*location_deny*] - Array: Locations to deny connections from. # [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 support # exists on your system before enabling. # [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) # [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 # [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. # While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. # [*add_header*] - Hash: Adds headers to the HTTP response when response code is equal to 200, 204, 301, 302 or 304. # [*index_files*] - Default index files for NGINX to read when traversing a directory # [*autoindex*] - Set it on 'on' or 'off 'to activate/deactivate autoindex directory listing. Undef by default. # [*proxy*] - Proxy server(s) for the root location to connect to. Accepts a single value, can be used in # conjunction with nginx::resource::upstream # [*proxy_read_timeout*] - Override the default proxy read timeout value of 90 seconds # [*proxy_send_timeout*] - Override the default proxy send timeout value of 90 seconds # [*proxy_redirect*] - Override the default proxy_redirect value of off. # [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed value. # [*proxy_max_temp_file_size*] - Sets the maximum size of the temporary buffer file. # [*proxy_busy_buffers_size*] - Sets the total size of buffers that can be # busy sending a response to the client while the response is not yet fully read. # [*resolver*] - Array: Configures name servers used to resolve names of upstream servers into addresses. # [*fastcgi*] - location of fastcgi (host:port) # [*fastcgi_param*] - Set additional custom fastcgi_params # [*fastcgi_params*] - optional alternative fastcgi_params file to use # [*fastcgi_index*] - optional FastCGI index page # [*fastcgi_script*] - optional SCRIPT_FILE parameter # [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout # [*ssl*] - Indicates whether to setup SSL bindings for this server. # [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. # Set to `false` to inherit from the http section, which improves performance by conserving memory. # [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by # this module. # [*ssl_verify_client*] - Enables verification of client certificates. # [*ssl_crl*] - String: Specifies CRL path in file system # [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic # parameters, in PEM format, utilized for exchanging session keys between server and client. Defaults to nginx::ssl_dhparam # [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers. # [*ssl_prefer_server_ciphers*] - String: Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and # TLS protocols. Defaults to nginx::ssl_prefer_server_ciphers. # [*ssl_redirect*] - Adds a server directive and return statement to force ssl redirect. Will honor ssl_port if it's set. # [*ssl_redirect_port*] - Overrides $ssl_port in the SSL redirect set by ssl_redirect # [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. Set to # `false` to inherit from the http section, which improves performance by conserving memory. # [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443 # [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 TLSv1.2'. # [*ssl_buffer_size*] - Sets the size of the buffer used for sending data. # [*ssl_ciphers*] - SSL ciphers enabled. Defaults to nginx::ssl_ciphers # [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP responses by the server. Defaults to false. # [*ssl_stapling_file*] - String: When set, the stapled OCSP response will be taken from the specified file instead of querying # the OCSP responder specified in the server certificate. # [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP responder specified in the Authority Information Access # certificate extension. # [*ssl_stapling_verify*] - Bool: Enables or disables verification of OCSP responses by the server. Defaults to false. # [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache. # Defaults to 5m. # [*ssl_session_tickets*] - String: Enables or disables session resumption through TLS session tickets. # [*ssl_session_ticket_key*] - String: Sets a file with the secret key used to encrypt and decrypt TLS session tickets. # [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client # certificates and OCSP responses if ssl_stapling is enabled. # [*ssl_verify_depth*] - Integer: Sets the verification depth in the client certificates chain. # [*spdy*] - Toggles SPDY protocol. # [*http2*] - Toggles HTTP/2 protocol. # [*server_name*] - List of servernames for which this server will respond. Default [$name]. # [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy # [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to rewrite www.domain.com to domain.com in order to avoid # duplicate content (SEO); +# [*rewrite_non_www_to_www*] - Adds a server directive and rewrite rule to rewrite domain.com to www.domain.com in order to avoid +# duplicate content (SEO); # [*try_files*] - Specifies the locations for files to be checked as an array. Cannot be used in conjuction with $proxy. # [*proxy_cache*] - This directive sets name of zone for caching. The same zone can be used in multiple places. # [*proxy_cache_key*] - Override the default proxy_cache_key of $scheme$proxy_host$request_uri # [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value of off. # [*proxy_cache_valid*] - This directive sets the time for caching different replies. # [*proxy_cache_lock*] - This directive sets the locking mechanism for pouplating cache. # [*proxy_cache_bypass*] - Defines conditions which the response will not be cached # [*proxy_method*] - If defined, overrides the HTTP method of the request to be passed to the backend. # [*proxy_http_version*] - Sets the proxy http version # [*proxy_set_body*] - If defined, sets the body passed to the backend. # [*absolute_redirect*] - Enables or disables the absolute redirect functionality of nginx # [*auth_basic*] - This directive includes testing name and password with HTTP Basic Authentication. # [*auth_basic_user_file*] - This directive sets the htpasswd filename for the authentication realm. # [*auth_request*] - This allows you to specify a custom auth endpoint # [*client_max_body_size*] - This directive sets client_max_body_size. # [*client_body_timeout*] - Sets how long the server will wait for a client body. Default is 60s # [*client_header_timeout*] - Sets how long the server will wait for a client header. Default is 60s # [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after cfg prepend # directives). NOTE: YOU are responsible for a semicolon on each line that requires one. # [*raw_append*] - A single string, or an array of strings to append to the server directive (after cfg append # directives). NOTE: YOU are responsible for a semicolon on each line that requires one. # [*location_raw_prepend*] - A single string, or an array of strings to prepend to the location directive (after custom_cfg # directives). NOTE: YOU are responsible for a semicolon on each line that requires one. # [*location_raw_append*] - A single string, or an array of strings to append to the location directive (after custom_cfg # directives). NOTE: YOU are responsible for a semicolon on each line that requires one. # [*server_cfg_append*] - It expects a hash with custom directives to put after everything else inside server # [*server_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server # [*server_cfg_ssl_append*] - It expects a hash with custom directives to put after everything else inside server ssl # [*server_cfg_ssl_prepend*] - It expects a hash with custom directives to put before everything else inside server ssl # [*include_files*] - Adds include files to server # [*access_log*] - Where to write access log (log format can be set with $format_log). This can be either a string or an # array; in the latter case, multiple lines will be created. Additionally, unlike the earlier behavior, setting it to 'absent' in the # server context will remove this directive entirely from the server stanza, rather than setting a default. Can also be disabled for # this server with the string 'off'. # [*error_log*] - Where to write error log. May add additional options like error level to the end. May set to 'absent', # in which case it will be omitted in this server stanza (and default to nginx.conf setting) # [*passenger_cgi_param*] - Allows one to define additional CGI environment variables to pass to the backend application # [*passenger_set_header*] - Allows one to set headers to pass to the backend application (Passenger 5.0+) # [*passenger_env_var*] - Allows one to set environment variables to pass to the backend application (Passenger 5.0+) # [*passenger_pre_start*] - Allows setting a URL to pre-warm the host. Per Passenger docs, the "domain part of the URL" must match # a value of server_name. If this is an array, multiple URLs can be specified. # [*log_by_lua*] - Run the Lua source code inlined as the at the log request processing phase. This does # not replace the current access logs, but runs after. # [*log_by_lua_file*] - Equivalent to log_by_lua, except that the file specified by contains the Lua # code, or, as from the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed. # [*gzip_types*] - Defines gzip_types, nginx default is text/html # [*owner*] - Defines owner of the .conf file # [*group*] - Defines group of the .conf file # [*mode*] - Defines mode of the .conf file # [*maintenance*] - A boolean value to set a server in maintenance # [*maintenance_value*] - Value to return when maintenance is on. Default to return 503 # [*error_pages*] - Hash: setup errors pages, hash key is the http code and hash value the page # [*locations*] - Hash of servers resources used by this server # [*locations_defaults*] - Hash of location default settings # [*add_listen_directive*] - Boolean to determine if we should add 'ssl on;' to the vhost or not. defaults to true for nginx 1.14 and older, otherwise false # Actions: # # Requires: # # Sample Usage: # nginx::resource::server { 'test2.local': # ensure => present, # www_root => '/var/www/nginx-default', # ssl => true, # ssl_cert => '/tmp/server.crt', # ssl_key => '/tmp/server.pem', # } define nginx::resource::server ( Enum['absent', 'present'] $ensure = 'present', Variant[Array, String] $listen_ip = '*', Integer $listen_port = 80, Optional[String] $listen_options = undef, Boolean $listen_unix_socket_enable = false, Variant[Array[Stdlib::Absolutepath], Stdlib::Absolutepath] $listen_unix_socket = '/var/run/nginx.sock', Optional[String] $listen_unix_socket_options = undef, Optional[Enum['any', 'all']] $location_satisfy = undef, Array $location_allow = [], Array $location_deny = [], Boolean $ipv6_enable = false, Variant[Array, String] $ipv6_listen_ip = '::', Integer $ipv6_listen_port = 80, String $ipv6_listen_options = 'default ipv6only=on', Hash $add_header = {}, Boolean $ssl = false, Boolean $ssl_listen_option = true, Optional[Variant[String, Boolean]] $ssl_cert = undef, Optional[String] $ssl_client_cert = undef, String $ssl_verify_client = 'on', Optional[String] $ssl_dhparam = $nginx::ssl_dhparam, Optional[String] $ssl_ecdh_curve = undef, Boolean $ssl_redirect = false, Optional[Integer] $ssl_redirect_port = undef, Optional[Variant[String, Boolean]] $ssl_key = undef, Integer $ssl_port = 443, Enum['on', 'off'] $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers, String $ssl_protocols = $nginx::ssl_protocols, $ssl_buffer_size = undef, String $ssl_ciphers = $nginx::ssl_ciphers, String $ssl_cache = 'shared:SSL:10m', Optional[String] $ssl_crl = undef, Boolean $ssl_stapling = false, Optional[String] $ssl_stapling_file = undef, Optional[String] $ssl_stapling_responder = undef, Boolean $ssl_stapling_verify = false, String $ssl_session_timeout = '5m', Optional[String] $ssl_session_tickets = undef, Optional[String] $ssl_session_ticket_key = undef, Optional[String] $ssl_trusted_cert = undef, Optional[Integer] $ssl_verify_depth = undef, Enum['on', 'off'] $spdy = $nginx::spdy, Enum['on', 'off'] $http2 = $nginx::http2, Optional[String] $proxy = undef, Optional[String]$proxy_redirect = undef, String $proxy_read_timeout = $nginx::proxy_read_timeout, String $proxy_send_timeout = $nginx::proxy_send_timeout, $proxy_connect_timeout = $nginx::proxy_connect_timeout, Array[String] $proxy_set_header = $nginx::proxy_set_header, Array[String] $proxy_hide_header = $nginx::proxy_hide_header, Array[String] $proxy_pass_header = $nginx::proxy_pass_header, Optional[String] $proxy_cache = undef, Optional[String] $proxy_cache_key = undef, Optional[String] $proxy_cache_use_stale = undef, Optional[Variant[Array[String], String]] $proxy_cache_valid = undef, Optional[Enum['on', 'off']] $proxy_cache_lock = undef, Optional[Variant[Array[String], String]] $proxy_cache_bypass = undef, Optional[String] $proxy_method = undef, Optional[String] $proxy_http_version = undef, Optional[String] $proxy_set_body = undef, Optional[String] $proxy_buffering = undef, Optional[Nginx::Size] $proxy_max_temp_file_size = undef, Optional[Nginx::Size] $proxy_busy_buffers_size = undef, Array $resolver = [], Optional[String] $fastcgi = undef, Optional[String] $fastcgi_index = undef, $fastcgi_param = undef, String $fastcgi_params = "${nginx::conf_dir}/fastcgi.conf", Optional[String] $fastcgi_script = undef, Optional[String] $uwsgi = undef, String $uwsgi_params = "${nginx::config::conf_dir}/uwsgi_params", Optional[String] $uwsgi_read_timeout = undef, Array $index_files = [ 'index.html', 'index.htm', 'index.php'], Optional[String] $autoindex = undef, Array[String] $server_name = [$name], Optional[String] $www_root = undef, Boolean $rewrite_www_to_non_www = false, + Boolean $rewrite_non_www_to_www = false, Optional[Hash] $location_custom_cfg = undef, Optional[Hash] $location_cfg_prepend = undef, Optional[Hash] $location_cfg_append = undef, Optional[Hash] $location_custom_cfg_prepend = undef, Optional[Hash] $location_custom_cfg_append = undef, Optional[Array[String]] $try_files = undef, Optional[Enum['on', 'off']] $absolute_redirect = undef, Optional[String] $auth_basic = undef, Optional[String] $auth_basic_user_file = undef, Optional[String] $auth_request = undef, Optional[String] $client_body_timeout = undef, Optional[String] $client_header_timeout = undef, $client_max_body_size = undef, Optional[Variant[Array[String], String]] $raw_prepend = undef, Optional[Variant[Array[String], String]] $raw_append = undef, Optional[Variant[Array[String], String]] $location_raw_prepend = undef, Optional[Variant[Array[String], String]] $location_raw_append = undef, Optional[Hash] $server_cfg_prepend = undef, Optional[Hash] $server_cfg_append = undef, Optional[Hash] $server_cfg_ssl_prepend = undef, Optional[Hash] $server_cfg_ssl_append = undef, Optional[Array[String]] $include_files = undef, Optional[Variant[String, Array]] $access_log = undef, Optional[Variant[String, Array]] $error_log = undef, $format_log = 'combined', Optional[Hash] $passenger_cgi_param = undef, Optional[Hash] $passenger_set_header = undef, Optional[Hash] $passenger_env_var = undef, Optional[Variant[Array[String], String]] $passenger_pre_start = undef, Optional[String] $log_by_lua = undef, Optional[String] $log_by_lua_file = undef, $use_default_location = true, $rewrite_rules = [], $string_mappings = {}, $geo_mappings = {}, Optional[String] $gzip_types = undef, String $owner = $nginx::global_owner, String $group = $nginx::global_group, String $mode = $nginx::global_mode, Boolean $maintenance = false, String $maintenance_value = 'return 503', $error_pages = undef, Hash $locations = {}, Hash $locations_defaults = {}, Boolean $add_listen_directive = $nginx::add_listen_directive, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } # Variables if $nginx::confd_only { $server_dir = "${nginx::conf_dir}/conf.d" } else { $server_dir = "${nginx::conf_dir}/sites-available" $server_enable_dir = "${nginx::conf_dir}/sites-enabled" $server_symlink_ensure = $ensure ? { 'absent' => absent, default => 'link', } } $name_sanitized = regsubst($name, ' ', '_', 'G') $config_file = "${server_dir}/${name_sanitized}.conf" File { ensure => $ensure ? { 'absent' => absent, default => 'file', }, notify => Class['::nginx::service'], owner => $owner, group => $group, mode => $mode, } # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled # and support does not exist for it in the kernel. if $ipv6_enable and !$ipv6_listen_ip { warning('nginx: IPv6 support is not enabled or configured properly') } # Check to see if SSL Certificates are properly defined. if $ssl { if $ssl_cert == undef { fail('nginx: ssl_cert must be set to false or to a fully qualified path') } if $ssl_key == undef { fail('nginx: ssl_key must be set to false or to a fully qualified path') } } # Try to error in the case where the user sets ssl_port == listen_port but # doesn't set ssl = true if !$ssl and $ssl_port == $listen_port { warning('nginx: ssl must be true if listen_port is the same as ssl_port') } concat { $config_file: ensure => $ensure, owner => $owner, group => $group, mode => $mode, notify => Class['::nginx::service'], require => File[$server_dir], } # This deals with a situation where the listen directive for SSL doesn't match # the port we want to force the SSL redirect to. if $ssl_redirect_port { $_ssl_redirect_port = $ssl_redirect_port } elsif $ssl_port { $_ssl_redirect_port = $ssl_port } # Suppress unneeded stuff in non-SSL location block when certain conditions are # met. $ssl_only = ($ssl and $ssl_port == $listen_port) or $ssl_redirect # If we're redirecting to SSL, the default location block is useless, *unless* # SSL is enabled for this server # either and ssl -> true # ssl redirect and no ssl -> false if (!$ssl_redirect or $ssl) and $use_default_location { # Create the default location reference for the server nginx::resource::location {"${name_sanitized}-default": ensure => $ensure, server => $name_sanitized, ssl => $ssl, ssl_only => $ssl_only, location => '/', location_satisfy => $location_satisfy, location_allow => $location_allow, location_deny => $location_deny, proxy => $proxy, proxy_redirect => $proxy_redirect, proxy_read_timeout => $proxy_read_timeout, proxy_send_timeout => $proxy_send_timeout, proxy_connect_timeout => $proxy_connect_timeout, proxy_cache => $proxy_cache, proxy_cache_key => $proxy_cache_key, proxy_cache_use_stale => $proxy_cache_use_stale, proxy_cache_valid => $proxy_cache_valid, proxy_method => $proxy_method, proxy_http_version => $proxy_http_version, proxy_set_header => $proxy_set_header, proxy_hide_header => $proxy_hide_header, proxy_pass_header => $proxy_pass_header, proxy_cache_lock => $proxy_cache_lock, proxy_set_body => $proxy_set_body, proxy_cache_bypass => $proxy_cache_bypass, proxy_buffering => $proxy_buffering, proxy_busy_buffers_size => $proxy_busy_buffers_size, proxy_max_temp_file_size => $proxy_max_temp_file_size, fastcgi => $fastcgi, fastcgi_index => $fastcgi_index, fastcgi_param => $fastcgi_param, fastcgi_params => $fastcgi_params, fastcgi_script => $fastcgi_script, uwsgi => $uwsgi, uwsgi_params => $uwsgi_params, uwsgi_read_timeout => $uwsgi_read_timeout, try_files => $try_files, www_root => $www_root, autoindex => $autoindex, index_files => $index_files, location_custom_cfg => $location_custom_cfg, location_cfg_prepend => $location_cfg_prepend, location_cfg_append => $location_cfg_append, location_custom_cfg_prepend => $location_custom_cfg_prepend, location_custom_cfg_append => $location_custom_cfg_append, rewrite_rules => $rewrite_rules, raw_prepend => $location_raw_prepend, raw_append => $location_raw_append, notify => Class['nginx::service'], } $root = undef } else { $root = $www_root } # Only try to manage these files if they're the default one (as you presumably # usually don't want the default template if you're using a custom file. if $fastcgi != undef and !defined(File[$fastcgi_params]) and $fastcgi_params == "${nginx::conf_dir}/fastcgi.conf" { file { $fastcgi_params: ensure => present, mode => '0644', content => template('nginx/server/fastcgi.conf.erb'), } } if $uwsgi != undef and !defined(File[$uwsgi_params]) and $uwsgi_params == "${nginx::conf_dir}/uwsgi_params" { file { $uwsgi_params: ensure => present, mode => '0644', content => template('nginx/server/uwsgi_params.erb'), } } if $listen_port != $ssl_port { concat::fragment { "${name_sanitized}-header": target => $config_file, content => template('nginx/server/server_header.erb'), order => '001', } # Create a proper file close stub. concat::fragment { "${name_sanitized}-footer": target => $config_file, content => template('nginx/server/server_footer.erb'), order => '699', } } # Create SSL File Stubs if SSL is enabled if $ssl { # Access and error logs are named differently in ssl template File <| title == $ssl_cert or path == $ssl_cert or title == $ssl_key or path == $ssl_key |> -> concat::fragment { "${name_sanitized}-ssl-header": target => $config_file, content => template('nginx/server/server_ssl_header.erb'), order => '700', } concat::fragment { "${name_sanitized}-ssl-footer": target => $config_file, content => template('nginx/server/server_ssl_footer.erb'), order => '999', } } unless $nginx::confd_only { file{ "${name_sanitized}.conf symlink": ensure => $server_symlink_ensure, path => "${server_enable_dir}/${name_sanitized}.conf", target => $config_file, require => [File[$server_dir], Concat[$config_file]], notify => Class['::nginx::service'], } } create_resources('::nginx::resource::map', $string_mappings) create_resources('::nginx::resource::geo', $geo_mappings) create_resources('::nginx::resource::location', $locations, { ensure => $ensure, server => $name_sanitized, ssl => $ssl, ssl_only => $ssl_only, www_root => $www_root, } + $locations_defaults) } diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb index 4732399..06db777 100644 --- a/spec/defines/resource_server_spec.rb +++ b/spec/defines/resource_server_spec.rb @@ -1,1443 +1,1535 @@ require 'spec_helper' describe 'nginx::resource::server' do on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do facts end let :title do 'www.rspec.example.com' end let :default_params do { www_root: '/', ipv6_enable: true, listen_unix_socket_enable: true, fastcgi_index: 'index.php' } end let :pre_condition do [ 'include ::nginx' ] end describe 'os-independent items' do describe 'basic assumptions' do let(:params) { default_params } it { is_expected.to contain_class('nginx') } it do is_expected.to contain_concat("/etc/nginx/sites-available/#{title}.conf").with('owner' => 'root', 'group' => 'root', 'mode' => '0644') end it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{access_log\s+/var/log/nginx/www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{error_log\s+/var/log/nginx/www\.rspec\.example\.com\.error\.log}) } it { is_expected.to contain_concat__fragment("#{title}-footer") } it { is_expected.to contain_nginx__resource__location("#{title}-default") } it { is_expected.not_to contain_file('/etc/nginx/fastcgi.conf') } it do is_expected.to contain_file("#{title}.conf symlink").with('ensure' => 'link', 'path' => "/etc/nginx/sites-enabled/#{title}.conf", 'target' => "/etc/nginx/sites-available/#{title}.conf") end end describe 'with $confd_only enabled' do let(:pre_condition) { 'class { "nginx": confd_only => true }' } let(:params) { default_params } it { is_expected.to contain_class('nginx') } it do is_expected.to contain_concat("/etc/nginx/conf.d/#{title}.conf").with('owner' => 'root', 'group' => 'root', 'mode' => '0644') is_expected.not_to contain_file('/etc/nginx/sites-enabled') is_expected.not_to contain_file('/etc/nginx/sites-available') end end describe 'server_header template content' do [ { title: 'should not contain www to non-www rewrite', attr: 'rewrite_www_to_non_www', value: false, notmatch: %r{ ^ \s+server_name\s+www\.rspec\.example\.com;\n \s+return\s+301\s+http://rspec\.example\.com\$request_uri; }x }, { title: 'should contain www to non-www rewrite', attr: 'rewrite_www_to_non_www', value: true, match: %r{ ^ \s+server_name\s+www\.rspec\.example\.com;\n \s+return\s+301\s+http://rspec\.example\.com\$request_uri; }x }, { title: 'should set the IPv4 listen IP', attr: 'listen_ip', value: '127.0.0.1', match: %r{\s+listen\s+127.0.0.1:80;} }, { title: 'should set the IPv4 listen port', attr: 'listen_port', value: 45, match: %r{\s+listen\s+\*:45;} }, { title: 'should set the IPv4 listen options', attr: 'listen_options', value: 'spdy default', match: %r{\s+listen\s+\*:80 spdy default;} }, { title: 'should enable IPv6', attr: 'ipv6_enable', value: true, match: %r{\s+listen\s+\[::\]:80 default ipv6only=on;} }, { title: 'should not enable IPv6', attr: 'ipv6_enable', value: false, notmatch: %r{\slisten \[::\]:80 default ipv6only=on;} }, { title: 'should set the IPv6 listen IP', attr: 'ipv6_listen_ip', value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334', match: %r{\s+listen\s+\[2001:0db8:85a3:0000:0000:8a2e:0370:7334\]:80 default ipv6only=on;} }, { title: 'should set the IPv6 listen port', attr: 'ipv6_listen_port', value: 45, match: %r{\s+listen\s+\[::\]:45 default ipv6only=on;} }, { title: 'should set the IPv6 listen options', attr: 'ipv6_listen_options', value: 'spdy', match: %r{\s+listen\s+\[::\]:80 spdy;} }, { title: 'should enable listening on unix socket', attr: 'listen_unix_socket_enable', value: true, match: %r{\s+listen\s+unix:/var/run/nginx\.sock;} }, { title: 'should not enable listening on unix socket', attr: 'listen_unix_socket_enable', value: false, notmatch: %r{\s+listen\s+unix:/var/run/nginx\.sock;} }, { title: 'should set the listen unix socket', attr: 'listen_unix_socket', value: '/var/run/puppet_nginx.sock', match: %r{\s+listen\s+unix:/var/run/puppet_nginx\.sock;} }, { title: 'should set the listen unix socket options', attr: 'listen_unix_socket_options', value: 'spdy', match: %r{\s+listen\s+unix:/var/run/nginx\.sock spdy;} }, { title: 'should set servername(s)', attr: 'server_name', value: ['www.foo.com', 'foo.com'], match: %r{\s+server_name\s+www.foo.com foo.com;} }, { title: 'should rewrite www servername to non-www', attr: 'rewrite_www_to_non_www', value: true, match: %r{\s+server_name\s+rspec.example.com;} }, { title: 'should not rewrite www servername to non-www', attr: 'rewrite_www_to_non_www', value: false, match: %r{\s+server_name\s+www.rspec.example.com;} }, { title: 'should not set absolute_redirect', attr: 'absolute_redirect', value: :undef, notmatch: %r{absolute_redirect} }, { title: 'should set absolute_redirect off', attr: 'absolute_redirect', value: 'off', match: ' absolute_redirect off;' }, { title: 'should set auth_basic', attr: 'auth_basic', value: 'value', match: %r{\s+auth_basic\s+"value";} }, { title: 'should set auth_basic_user_file', attr: 'auth_basic_user_file', value: 'value', match: %r{\s+auth_basic_user_file\s+value;} }, { title: 'should set auth_request', attr: 'auth_request', value: 'value', match: %r{\s+auth_request\s+value;} }, { title: 'should set the client_body_timeout', attr: 'client_body_timeout', value: 'value', match: %r{^\s+client_body_timeout\s+value;} }, { title: 'should set the client_header_timeout', attr: 'client_header_timeout', value: 'value', match: %r{^\s+client_header_timeout\s+value;} }, { title: 'should set the gzip_types', attr: 'gzip_types', value: 'value', match: %r{^\s+gzip_types\s+value;} }, { title: 'should contain raw_prepend directives', attr: 'raw_prepend', value: [ 'if (a) {', ' b;', '}' ], match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { title: 'should contain ordered prepended directives', attr: 'server_cfg_prepend', value: { 'test1' => ['test value 1a', 'test value 1b'], 'test2' => 'test value 2', 'allow' => 'test value 3' }, match: [ ' allow test value 3;', ' test1 test value 1a;', ' test1 test value 1b;', ' test2 test value 2;' ] }, { title: 'should set root', attr: 'use_default_location', value: false, match: ' root /;' }, { title: 'should not set root', attr: 'use_default_location', value: true, notmatch: %r{ root /;} }, { title: 'should force https (SSL) redirect', attr: 'ssl_redirect', value: true, match: %r{ return 301 https://\$host\$request_uri;} }, { title: 'should not force https (SSL) redirect', attr: 'ssl_redirect', value: false, notmatch: %r{\s*return\s+301} }, { title: 'should set access_log', attr: 'access_log', value: '/path/to/access.log', match: ' access_log /path/to/access.log combined;' }, { title: 'should set multiple access_log directives', attr: 'access_log', value: ['/path/to/log/1', 'syslog:server=localhost'], match: [ ' access_log /path/to/log/1 combined;', ' access_log syslog:server=localhost combined;' ] }, { title: 'should set access_log off', attr: 'access_log', value: 'off', match: ' access_log off;' }, { title: 'should set access_log to syslog', attr: 'access_log', value: 'syslog:server=localhost', match: ' access_log syslog:server=localhost combined;' }, { title: 'should set format_log custom_format', attr: 'format_log', value: 'custom', match: ' access_log /var/log/nginx/www.rspec.example.com.access.log custom;' }, { title: 'should not include access_log in server when set to absent', attr: 'access_log', value: 'absent', notmatch: 'access_log' }, { title: 'should set error_log', attr: 'error_log', value: '/path/to/error.log', match: ' error_log /path/to/error.log;' }, { title: 'should allow multiple error_log directives', attr: 'error_log', value: ['/path/to/error.log', 'syslog:server=localhost'], match: [ ' error_log /path/to/error.log;', ' error_log syslog:server=localhost;' ] }, { title: 'should not include error_log in server when set to absent', attr: 'error_log', value: 'absent', notmatch: 'error_log' }, { title: 'should set error_pages', attr: 'error_pages', value: { '503' => '/foo.html' }, match: ' error_page 503 /foo.html;' }, { title: 'should set index_file(s)', attr: 'index_files', value: %w[name1 name2], match: %r{\s*index\s+name1\s+name2;} }, { title: 'should not set index_file(s)', attr: 'index_files', value: [], notmatch: %r{\s+index\s+} }, { title: 'should set autoindex', attr: 'autoindex', value: 'on', match: ' autoindex on;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-header").without_content(item) end end end end + + context 'with a naked domain title' do + let(:title) { 'rspec.example.com' } + + [ + { + title: 'should not contain non-www to www rewrite', + attr: 'rewrite_non_www_to_www', + value: false, + notmatch: %r{ + ^ + \s+server_name\s+rspec\.example\.com;\n + \s+return\s+301\s+http://www\.rspec\.example\.com\$request_uri; + }x + }, + { + title: 'should contain non-www to www rewrite', + attr: 'rewrite_non_www_to_www', + value: true, + match: %r{ + ^ + \s+server_name\s+rspec\.example\.com;\n + \s+return\s+301\s+http://www\.rspec\.example\.com\$request_uri; + }x + }, + { + title: 'should rewrite non-www servername to www', + attr: 'rewrite_non_www_to_www', + value: true, + match: %r{\s+server_name\s+www.rspec.example.com;} + }, + { + title: 'should not rewrite non-www servername to www', + attr: 'rewrite_non_www_to_www', + value: false, + notmatch: %r{\s+server_name\s+www.rspec.example.com;} + } + ].each do |param| + context "when #{param[:attr]} is #{param[:value]}" do + let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } + + it { is_expected.to contain_concat__fragment("#{title}-header") } + it param[:title] do + matches = Array(param[:match]) + + if matches.all? { |m| m.is_a? Regexp } + matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } + else + lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") + expect(lines & Array(param[:match])).to eq(Array(param[:match])) + end + Array(param[:notmatch]).each do |item| + is_expected.to contain_concat__fragment("#{title}-header").without_content(item) + end + end + end + end + end end describe 'server_footer template content' do [ { title: 'should not contain www to non-www rewrite', attr: 'rewrite_www_to_non_www', value: false, notmatch: %r{ ^ \s+server_name\s+www\.rspec\.example\.com;\n \s+return\s+301\s+https://rspec\.example\.com\$request_uri; }x }, { title: 'should contain include directives', attr: 'include_files', value: ['/file1', '/file2'], match: [ %r{^\s+include\s+/file1;}, %r{^\s+include\s+/file2;} ] }, { title: 'should contain ordered appended directives', attr: 'server_cfg_append', value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' }, match: [ ' allow test value 3;', ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;' ] }, { title: 'should contain raw_append directives', attr: 'raw_append', value: [ 'if (a) {', ' b;', '}' ], match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-footer") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-footer").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-footer").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-footer").without_content(item) end end end end end + context 'with a naked domain title' do + [ + { + title: 'should not contain non-www to www rewrite', + attr: 'rewrite_non_www_to_www', + value: false, + notmatch: %r{ + ^ + \s+server_name\s+rspec\.example\.com;\n + \s+return\s+301\s+https://www\.rspec\.example\.com\$request_uri; + }x + } + ].each do |param| + context "when #{param[:attr]} is #{param[:value]}" do + let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } + + it { is_expected.to contain_concat__fragment("#{title}-footer") } + it param[:title] do + matches = Array(param[:match]) + + if matches.all? { |m| m.is_a? Regexp } + matches.each { |item| is_expected.to contain_concat__fragment("#{title}-footer").with_content(item) } + else + lines = catalogue.resource('concat::fragment', "#{title}-footer").send(:parameters)[:content].split("\n") + expect(lines & Array(param[:match])).to eq(Array(param[:match])) + end + Array(param[:notmatch]).each do |item| + is_expected.to contain_concat__fragment("#{title}-footer").without_content(item) + end + end + end + end + end + describe 'server_ssl_header template content' do context 'with ssl' do let :params do default_params.merge( ssl: true, ssl_key: '/tmp/dummy.key', ssl_cert: '/tmp/dummy.crt' ) end context 'without a value for the nginx_version fact do' do let :facts do facts[:nginx_version] ? facts.delete(:nginx_version) : facts end it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ ssl on;}) } end context 'with fact nginx_version=1.14.1' do let(:facts) { facts.merge(nginx_version: '1.14.1') } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ ssl on;}) } end context 'with fact nginx_version=1.15.1' do let(:facts) { facts.merge(nginx_version: '1.15.1') } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(%r{ ssl on;}) } end context 'with ssl cert and key definitions' do let(:pre_condition) do <<-PUPPET file { ['/tmp/dummy.key', '/tmp/dummy.crt']: } include nginx PUPPET end it { is_expected.to contain_file('/tmp/dummy.key').with_path('/tmp/dummy.key') } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").that_requires(['File[/tmp/dummy.key]', 'File[/tmp/dummy.crt]']) } end end [ { title: 'should not contain www to non-www rewrite', attr: 'rewrite_www_to_non_www', value: false, notmatch: %r{ ^ \s+server_name\s+www\.rspec\.example\.com;\n \s+return\s+301\s+https://rspec\.example\.com\$request_uri; }x }, { title: 'should contain www to non-www rewrite', attr: 'rewrite_www_to_non_www', value: true, match: %r{ ^ \s+server_name\s+www\.rspec\.example\.com;\n \s+return\s+301\s+https://rspec\.example\.com\$request_uri; }x }, { title: 'should set the IPv4 listen IP', attr: 'listen_ip', value: '127.0.0.1', match: %r{\s+listen\s+127.0.0.1:443 ssl;} }, { title: 'should set the IPv4 SSL listen port', attr: 'ssl_port', value: 45, match: %r{\s+listen\s+\*:45 ssl;} }, { title: 'should set SPDY', attr: 'spdy', value: 'on', match: %r{\s+listen\s+\*:443 ssl spdy;} }, { title: 'should not set SPDY', attr: 'spdy', value: 'off', match: %r{\s+listen\s+\*:443 ssl;} }, { title: 'should set HTTP2', attr: 'http2', value: 'on', match: %r{\s+listen\s+\*:443 ssl http2;} }, { title: 'should not set HTTP2', attr: 'http2', value: 'off', match: %r{\s+listen\s+\*:443 ssl;} }, { title: 'should set the IPv4 listen options', attr: 'listen_options', value: 'default', match: %r{\s+listen\s+\*:443 ssl default;} }, { title: 'should enable IPv6', attr: 'ipv6_enable', value: true, match: %r{\s+listen\s+\[::\]:443 ssl default ipv6only=on;} }, { title: 'should disable IPv6', attr: 'ipv6_enable', value: false, notmatch: %r{ listen \[::\]:443 ssl default ipv6only=on;} }, { title: 'should set the IPv6 listen IP', attr: 'ipv6_listen_ip', value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334', match: %r{\s+listen\s+\[2001:0db8:85a3:0000:0000:8a2e:0370:7334\]:443 ssl default ipv6only=on;} }, { title: 'should set the IPv6 listen port', attr: 'ssl_port', value: 45, match: %r{\s+listen\s+\[::\]:45 ssl default ipv6only=on;} }, { title: 'should set the IPv6 listen options', attr: 'ipv6_listen_options', value: 'spdy default', match: %r{\s+listen\s+\[::\]:443 ssl spdy default;} }, { title: 'should set servername(s)', attr: 'server_name', value: ['www.foo.com', 'foo.com'], match: %r{\s+server_name\s+www.foo.com foo.com;} }, { title: 'should rewrite www servername to non-www', attr: 'rewrite_www_to_non_www', value: true, match: %r{\s+server_name\s+rspec.example.com;} }, { title: 'should not rewrite www servername to non-www', attr: 'rewrite_www_to_non_www', value: false, match: %r{\s+server_name\s+www.rspec.example.com;} }, { title: 'should set the SSL buffer size', attr: 'ssl_buffer_size', value: '4k', match: ' ssl_buffer_size 4k;' }, { title: 'should set the SSL client certificate file', attr: 'ssl_client_cert', value: '/tmp/client_certificate', match: %r{\s+ssl_client_certificate\s+/tmp/client_certificate;} }, { title: 'should set the SSL CRL file', attr: 'ssl_crl', value: '/tmp/crl', match: %r{\s+ssl_crl\s+/tmp/crl;} }, { title: 'should set the SSL DH parameters file', attr: 'ssl_dhparam', value: '/tmp/dhparam', match: %r{\s+ssl_dhparam\s+/tmp/dhparam;} }, { title: 'should set ssl_ecdh_curve', attr: 'ssl_ecdh_curve', value: 'secp521r1', match: %r{\s+ssl_ecdh_curve\s+secp521r1;} }, { title: 'should set the SSL stapling file', attr: 'ssl_stapling_file', value: '/tmp/stapling_file', match: %r{\s+ssl_stapling_file\s+/tmp/stapling_file;} }, { title: 'should set the SSL trusted certificate file', attr: 'ssl_trusted_cert', value: '/tmp/trusted_certificate', match: %r{\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;} }, { title: 'should set ssl_verify_depth', attr: 'ssl_verify_depth', value: 2, match: %r{^\s+ssl_verify_depth\s+2;} }, { title: 'should set the SSL cache', attr: 'ssl_cache', value: 'shared:SSL:1m', match: %r{\s+ssl_session_cache\s+shared:SSL:1m;} }, { title: 'should set the SSL timeout', attr: 'ssl_session_timeout', value: '30m', match: ' ssl_session_timeout 30m;' }, { title: 'should set the SSL protocols', attr: 'ssl_protocols', value: 'TLSv1', match: %r{\s+ssl_protocols\s+TLSv1;} }, { title: 'should set the SSL ciphers', attr: 'ssl_ciphers', value: 'HIGH', match: %r{\s+ssl_ciphers\s+HIGH;} }, { title: 'should set ssl_prefer_server_ciphers on', attr: 'ssl_prefer_server_ciphers', value: 'on', match: %r{\s+ssl_prefer_server_ciphers\s+on;} }, { title: 'should set ssl_prefer_server_ciphers off', attr: 'ssl_prefer_server_ciphers', value: 'off', match: %r{\s+ssl_prefer_server_ciphers\s+off;} }, { title: 'should not set absolute_redirect', attr: 'absolute_redirect', value: :undef, notmatch: %r{absolute_redirect} }, { title: 'should set absolute_redirect off', attr: 'absolute_redirect', value: 'off', match: ' absolute_redirect off;' }, { title: 'should set auth_basic', attr: 'auth_basic', value: 'value', match: %r{\s+auth_basic\s+"value";} }, { title: 'should set auth_basic_user_file', attr: 'auth_basic_user_file', value: 'value', match: %r{\s+auth_basic_user_file\s+"value";} }, { title: 'should set auth_request', attr: 'auth_request', value: 'value', match: %r{\s+auth_request\s+value;} }, { title: 'should set the client_body_timeout', attr: 'client_body_timeout', value: 'value', match: %r{^\s+client_body_timeout\s+value;} }, { title: 'should set the client_header_timeout', attr: 'client_header_timeout', value: 'value', match: %r{^\s+client_header_timeout\s+value;} }, { title: 'should set the gzip_types', attr: 'gzip_types', value: 'value', match: %r{^\s+gzip_types\s+value;} }, { title: 'should set access_log', attr: 'access_log', value: '/path/to/access.log', match: ' access_log /path/to/access.log combined;' }, { title: 'should set multiple access_log directives', attr: 'access_log', value: ['/path/to/log/1', 'syslog:server=localhost'], match: [ ' access_log /path/to/log/1 combined;', ' access_log syslog:server=localhost combined;' ] }, { title: 'should set access_log off', attr: 'access_log', value: 'off', match: ' access_log off;' }, { title: 'should not include access_log in server when set to absent', attr: 'access_log', value: 'absent', notmatch: 'access_log' }, { title: 'should set access_log to syslog', attr: 'access_log', value: 'syslog:server=localhost', match: ' access_log syslog:server=localhost combined;' }, { title: 'should set format_log custom_format', attr: 'format_log', value: 'custom', match: ' access_log /var/log/nginx/ssl-www.rspec.example.com.access.log custom;' }, { title: 'should set error_log', attr: 'error_log', value: '/path/to/error.log', match: ' error_log /path/to/error.log;' }, { title: 'should allow multiple error_log directives', attr: 'error_log', value: ['/path/to/error.log', 'syslog:server=localhost'], match: [ ' error_log /path/to/error.log;', ' error_log syslog:server=localhost;' ] }, { title: 'should not include error_log in server when set to absent', attr: 'error_log', value: 'absent', notmatch: 'error_log' }, { title: 'should set error_pages', attr: 'error_pages', value: { '503' => '/foo.html' }, match: ' error_page 503 /foo.html;' }, { title: 'should contain raw_prepend directives', attr: 'raw_prepend', value: [ 'if (a) {', ' b;', '}' ], match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { title: 'should contain ordered prepend directives', attr: 'server_cfg_prepend', value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' }, match: [ ' allow test value 3;', ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;' ] }, { title: 'should contain ordered ssl prepend directives', attr: 'server_cfg_ssl_prepend', value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' }, match: [ ' allow test value 3;', ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;' ] }, { title: 'should set root', attr: 'use_default_location', value: false, match: ' root /;' }, { title: 'should not set root', attr: 'use_default_location', value: true, notmatch: %r{ root /;} }, { title: 'should set index_file(s)', attr: 'index_files', value: %w[name1 name2], match: %r{\s*index\s+name1\s+name2;} }, { title: 'should not set index_file(s)', attr: 'index_files', value: [], notmatch: %r{\s+index\s+} }, { title: 'should set autoindex', attr: 'autoindex', value: 'on', match: ' autoindex on;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :params do default_params.merge(param[:attr].to_sym => param[:value], :ssl => true, :ssl_key => 'dummy.key', :ssl_cert => 'dummy.crt') end it { is_expected.to contain_concat__fragment("#{title}-ssl-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-ssl-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(item) end end end end end describe 'server_ssl_footer template content' do [ { title: 'should not contain www to non-www rewrite', attr: 'rewrite_www_to_non_www', value: false, notmatch: %r{ ^ \s+server_name\s+www\.rspec\.example\.com;\n \s+return\s+301\s+https://rspec\.example\.com\$request_uri; }x }, { title: 'should contain include directives', attr: 'include_files', value: ['/file1', '/file2'], match: [ %r{^\s+include\s+/file1;}, %r{^\s+include\s+/file2;} ] }, { title: 'should contain ordered appended directives', attr: 'server_cfg_append', value: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'allow' => 'test value 3' }, match: [ ' allow test value 3;', ' test1 test value 1;', ' test2 test value 2;' ] }, { title: 'should contain raw_append directives', attr: 'raw_append', value: [ 'if (a) {', ' b;', '}' ], match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { title: 'should contain ordered ssl appended directives', attr: 'server_cfg_ssl_append', value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'allow' => 'test value 3' }, match: [ ' allow test value 3;', ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;' ] } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :params do default_params.merge(param[:attr].to_sym => param[:value], :ssl => true, :ssl_key => 'dummy.key', :ssl_cert => 'dummy.crt') end it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl-footer").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-ssl-footer").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-ssl-footer").without_content(item) end end end end end context 'attribute resources' do context 'with SSL enabled, www rewrite to naked domain with multiple server_names' do let(:title) { 'foo.com' } let(:params) do { ssl: true, ssl_cert: 'cert', ssl_key: 'key', server_name: %w[www.foo.com bar.foo.com foo.com], use_default_location: false, rewrite_www_to_non_www: true } end it "sets the server_name of the rewrite server stanza to every server_name with 'www.' stripped" do is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{^\s+server_name\s+foo.com\s+bar.foo.com\s+foo.com;}) end end context 'with SSL disabled, www rewrite to naked domain with multiple server_names' do let(:title) { 'foo.com' } let(:params) do { server_name: %w[www.foo.com bar.foo.com foo.com], use_default_location: false, rewrite_www_to_non_www: true } end it "sets the server_name of the rewrite server stanza to every server_name with 'www.' stripped" do is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{^\s+server_name\s+foo.com\s+bar.foo.com\s+foo.com;}) end end context 'ssl_redirect' do let(:params) { { ssl_redirect: true } } it { is_expected.to contain_concat__fragment("#{title}-header").without_content(%r{^\s*index\s+}) } it { is_expected.to contain_concat__fragment("#{title}-header").without_content(%r{^\s*location\s+}) } end context 'ssl_redirect with alternate port' do let(:params) { { ssl_redirect: true, ssl_port: 8888 } } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host:8888\$request_uri;}) } end context 'ssl_redirect with standard port set explicitly' do let(:params) { { ssl_redirect: true, ssl_port: 443 } } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host\$request_uri;}) } end context 'ssl_redirect with overridden port' do let(:params) { { ssl_redirect: true, ssl_redirect_port: 8878 } } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host:8878\$request_uri;}) } end context 'ssl_redirect with ssl_port set and overridden redirect port' do let(:params) do { ssl_redirect: true, ssl_redirect_port: 9787, ssl_port: 9783 } end it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{ return 301 https://\$host:9787\$request_uri;}) } end context 'ssl_redirect should set ssl_only when ssl => true' do let(:params) do { ssl_redirect: true, ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.crt' } end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } end context 'ssl_redirect should not include default location when ssl => false' do let(:params) do { ssl_redirect: true, ssl: false } end it { is_expected.not_to contain_nginx__resource__location("#{title}-default") } end context 'SSL cert and key are both set to fully qualified paths' do let(:params) { { ssl: true, ssl_cert: '/tmp/foo.crt', ssl_key: '/tmp/foo.key:' } } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+/tmp/foo.crt}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+/tmp/foo.key}) } end context 'SSL cert and key are both set to false' do let(:params) { { ssl: true, ssl_cert: false, ssl_key: false } } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(%r{ssl_certificate}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(%r{ssl_certificate_key}) } end context 'when use_default_location => true' do let :params do default_params.merge(use_default_location: true) end it { is_expected.to contain_nginx__resource__location("#{title}-default") } end context 'when use_default_location => false' do let :params do default_params.merge(use_default_location: false) end it { is_expected.not_to contain_nginx__resource__location("#{title}-default") } end context 'when location_cfg_prepend => { key => value }' do let :params do default_params.merge(location_cfg_prepend: { 'key' => 'value' }) end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_location_cfg_prepend('key' => 'value') } end context "when location_raw_prepend => [ 'foo;' ]" do let :params do default_params.merge(location_raw_prepend: ['foo;']) end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_raw_prepend(['foo;']) } end context "when location_raw_append => [ 'foo;' ]" do let :params do default_params.merge(location_raw_append: ['foo;']) end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_raw_append(['foo;']) } end context 'when location_cfg_append => { key => value }' do let :params do default_params.merge(location_cfg_append: { 'key' => 'value' }) end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_location_cfg_append('key' => 'value') } end context 'when fastcgi => "localhost:9000"' do let :params do default_params.merge(fastcgi: 'localhost:9000') end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_fastcgi_params('/etc/nginx/fastcgi.conf') } it { is_expected.to contain_file('/etc/nginx/fastcgi.conf').with_mode('0644') } end context 'when fastcgi_params is non-default' do let :params do default_params.merge(fastcgi: 'localhost:9000', fastcgi_params: '/etc/nginx/mycustomparams') end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_fastcgi_params('/etc/nginx/mycustomparams') } it { is_expected.not_to contain_file('/etc/nginx/mycustomparams') } end context 'when fastcgi_params is not defined' do let :params do default_params.merge(fastcgi: 'localhost:9000', fastcgi_params: nil) end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_fastcgi_params('nil') } it { is_expected.not_to contain_file('/etc/nginx/fastcgi.conf') } end context 'when fastcgi_index => "index.php"' do let :params do default_params.merge(fastcgi_index: 'index.php') end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_fastcgi_index('index.php') } end context 'when fastcgi_param => {key => value}' do let :params do default_params.merge(fastcgi_param: { 'key' => 'value' }) end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_fastcgi_param('key' => 'value') } end context 'when uwsgi => "uwsgi_upstream"' do let :params do default_params.merge(uwsgi: 'uwsgi_upstream') end it { is_expected.to contain_file('/etc/nginx/uwsgi_params').with_mode('0644') } end context 'when uwsgi_params is non-default' do let :params do default_params.merge(uwsgi: 'uwsgi_upstream', uwsgi_params: '/etc/nginx/bogusparams') end it { is_expected.not_to contain_file('/etc/nginx/bogusparams') } end context 'when listen_port == ssl_port but ssl = false' do let :params do default_params.merge(listen_port: 80, ssl_port: 80, ssl: false) end # TODO: implement test after this can be tested # msg = %r{nginx: ssl must be true if listen_port is the same as ssl_port} it 'Testing for warnings not yet implemented in classes' end context 'when listen_port != ssl_port' do let :params do default_params.merge(listen_port: 80, ssl_port: 443) end it { is_expected.to contain_concat__fragment("#{title}-header") } it { is_expected.to contain_concat__fragment("#{title}-footer") } end context 'when ensure => absent' do let :params do default_params.merge(ensure: 'absent', ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ensure('absent') } it { is_expected.to contain_file("#{title}.conf symlink").with_ensure('absent') } it { is_expected.to contain_concat("/etc/nginx/sites-available/#{title}.conf").with_ensure('absent') } end context 'when ssl => true and ssl_port == listen_port' do let :params do default_params.merge(ssl: true, listen_port: 80, ssl_port: 80, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+dummy.cert;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+dummy.key;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") } end context 'when ssl_client_cert is set' do let :params do default_params.merge(ssl: true, listen_port: 80, ssl_port: 80, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert', ssl_client_cert: 'client.cert', ssl_verify_client: 'optional') end it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client\s+optional;}) } end context 'when passenger_cgi_param is set' do let :params do default_params.merge(passenger_cgi_param: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }) end it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_cgi_param test1 test value 1;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_cgi_param test2 test value 2;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_cgi_param test3 test value 3;}) } end context 'when passenger_cgi_param is set and ssl => true' do let :params do default_params.merge(passenger_cgi_param: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }, ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_cgi_param test1 test value 1;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_cgi_param test2 test value 2;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_cgi_param test3 test value 3;}) } end context 'when passenger_set_header is set' do let :params do default_params.merge(passenger_set_header: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }) end it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_header test1 test value 1;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_header test2 test value 2;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_set_header test3 test value 3;}) } end context 'when passenger_set_header is set and ssl => true' do let :params do default_params.merge(passenger_set_header: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }, ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_header test1 test value 1;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_header test2 test value 2;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_set_header test3 test value 3;}) } end context 'when passenger_env_var is set' do let :params do default_params.merge(passenger_env_var: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }) end it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_env_var test1 test value 1;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_env_var test2 test value 2;}) } it { is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{passenger_env_var test3 test value 3;}) } end context 'when passenger_env_var is set and ssl => true' do let :params do default_params.merge(passenger_env_var: { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }, ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_env_var test1 test value 1;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_env_var test2 test value 2;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{passenger_env_var test3 test value 3;}) } end context 'when passenger_pre_start is a string' do let :params do default_params.merge(passenger_pre_start: 'http://example.com:80/test/me') end it { is_expected.to contain_concat__fragment("#{title}-footer").with_content(%r{passenger_pre_start http://example.com:80/test/me;}) } end context 'when passenger_pre_start is an array' do let :params do default_params.merge(passenger_pre_start: ['http://example.com:80/test/me', 'http://example.com:3009/foo/bar']) end it { is_expected.to contain_concat__fragment("#{title}-footer").with_content(%r{passenger_pre_start http://example.com:80/test/me;}) } it { is_expected.to contain_concat__fragment("#{title}-footer").with_content(%r{passenger_pre_start http://example.com:3009/foo/bar;}) } end context 'when server name is sanitized' do let(:title) { 'www rspec-server com' } let(:params) { default_params } it { is_expected.to contain_concat('/etc/nginx/sites-available/www_rspec-server_com.conf') } end context 'when add_header is set' do let :params do default_params.merge(add_header: { 'header3' => { '' => '\'test value 3\' tv3' }, 'header2' => { 'test value 2' => 'tv2' }, 'header1' => 'test value 1' }) end it 'has correctly ordered entries in the config' do is_expected.to contain_concat__fragment("#{title}-header").with_content(%r{\s+add_header\s+"header1" "test value 1";\n\s+add_header\s+"header2" "test value 2" tv2;\n\s+add_header\s+"header3" 'test value 3' tv3;\n}) end end context 'when add_header is set and ssl => true' do let :params do default_params.merge(add_header: { 'header3' => { '' => '\'test value 3\' tv3' }, 'header2' => { 'test value 2' => 'tv2' }, 'header1' => 'test value 1' }, ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it 'has correctly ordered entries in the config' do is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{\s+add_header\s+"header1" "test value 1";\n\s+add_header\s+"header2" "test value 2" tv2;\n\s+add_header\s+"header3" 'test value 3' tv3;\n}) end end end describe 'with locations' do context 'simple location' do let(:params) do { use_default_location: false, locations: { 'one' => { 'location_custom_cfg' => {}, 'location' => '/one', 'expires' => '@12h34m' } } } end it { is_expected.to contain_nginx__resource__location('one') } it { is_expected.to contain_nginx__resource__location('one').with_location('/one') } it { is_expected.to contain_nginx__resource__location('one').with_expires('@12h34m') } end context 'multiple locations' do let(:params) do { use_default_location: false, locations: { 'one' => { 'location_custom_cfg' => {}, 'location' => '/one', 'expires' => '@12h34m' }, 'two' => { 'location_custom_cfg' => {}, 'location' => '= /two', 'expires' => '@23h45m' } } } end it { is_expected.to contain_nginx__resource__location('one') } it { is_expected.to contain_nginx__resource__location('one').with_location('/one') } it { is_expected.to contain_nginx__resource__location('one').with_expires('@12h34m') } it { is_expected.to contain_nginx__resource__location('two') } it { is_expected.to contain_nginx__resource__location('two').with_location('= /two') } it { is_expected.to contain_nginx__resource__location('two').with_expires('@23h45m') } end context 'with locations default' do let(:params) do { www_root: '/toplevel', locations_defaults: { 'www_root' => '/overwrite', 'expires' => '@12h34m' }, locations: { 'one' => { 'location_custom_cfg' => {}, 'location' => '/one' }, 'two' => { 'location_custom_cfg' => {}, 'location' => '= /two' } } } end it { is_expected.to contain_nginx__resource__location('one') } it { is_expected.to contain_nginx__resource__location('one').with_location('/one') } it { is_expected.to contain_nginx__resource__location('one').with_www_root('/overwrite') } it { is_expected.to contain_nginx__resource__location('one').with_expires('@12h34m') } it { is_expected.to contain_nginx__resource__location('two') } it { is_expected.to contain_nginx__resource__location('two').with_location('= /two') } it { is_expected.to contain_nginx__resource__location('two').with_www_root('/overwrite') } it { is_expected.to contain_nginx__resource__location('two').with_expires('@12h34m') } end end end end end end diff --git a/templates/server/server_header.erb b/templates/server/server_header.erb index ca58dd6..9195151 100644 --- a/templates/server/server_header.erb +++ b/templates/server/server_header.erb @@ -1,167 +1,182 @@ # MANAGED BY PUPPET -<% if @rewrite_www_to_non_www -%> +<% if @rewrite_www_to_non_www || @rewrite_non_www_to_www -%> <%- @server_name.each do |s| -%> server { <%- if @listen_ip.is_a?(Array) then -%> <%- @listen_ip.each do |ip| -%> listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%- else -%> listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%- if @listen_unix_socket_enable -%> <%- if @listen_unix_socket.is_a?(Array) then -%> <%- @listen_unix_socket.each do |unix_socket| -%> listen unix:<%= unix_socket %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>; <%- end -%> <%- else -%> listen unix:<%= @listen_unix_socket %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>; <%- end -%> <%- end -%> <%= scope.function_template(["nginx/server/server_ipv6_listen.erb"]) %> +<%- if @rewrite_www_to_non_www -%> server_name www.<%= s.gsub(/^www\./, '') %>; <%- if @ssl_redirect or @ssl_only -%> return 301 https://<%= s.gsub(/^www\./, '') %><% if @_ssl_redirect_port.to_i != 443 %>:<%= @_ssl_redirect_port %><% end %>$request_uri; <%- else -%> return 301 http://<%= s.gsub(/^www\./, '') %>$request_uri; <%- end -%> +<%- elsif @rewrite_non_www_to_www -%> + server_name <%= s %>; + <%- if @ssl_redirect or @ssl_only -%> + return 301 https://www.<%= s %><% if @_ssl_redirect_port.to_i != 443 %>:<%= @_ssl_redirect_port %><% end %>$request_uri; + <%- else -%> + return 301 http://www.<%= s %>$request_uri; + <%- end -%> +<%- end -%> } <% end -%> <% end -%> server { <%- if @listen_ip.is_a?(Array) then -%> <%- @listen_ip.each do |ip| -%> listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%- else -%> listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%- if @listen_unix_socket_enable -%> <%- if @listen_unix_socket.is_a?(Array) then -%> <%- @listen_unix_socket.each do |unix_socket| -%> listen unix:<%= unix_socket %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>; <%- end -%> <%- else -%> listen unix:<%= @listen_unix_socket %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>; <%- end -%> <%- end -%> <%= scope.function_template(["nginx/server/server_ipv6_listen.erb"]) %> - server_name <%= @rewrite_www_to_non_www ? @server_name.join(" ").gsub(/(^| )(www\.)?(?=[a-z0-9])/, '') : @server_name.join(" ") %>; +<%- if @rewrite_www_to_non_www -%> + server_name <%= @server_name.join(" ").gsub(/(^| )(www\.)?(?=[a-z0-9])/, '') %>; +<%- elsif @rewrite_non_www_to_www -%> + server_name <%= @server_name.join(" ").gsub(/(^| )(?=[a-z0-9])/, 'www.') %>; +<%- else %> + server_name <%= @server_name.join(" ") %>; +<%- end -%> <%- if instance_variables.any? { |iv| iv.to_s.include? 'auth_basic' } -%> <%- if defined? @auth_basic -%> auth_basic "<%= @auth_basic %>"; <%- end -%> <%- if defined? @auth_basic_user_file -%> auth_basic_user_file <%= @auth_basic_user_file %>; <%- end -%> <% end -%> <%- if defined? @auth_request -%> auth_request <%= @auth_request %>; <%- end -%> <% if instance_variables.any? { |iv| iv.to_s.include? 'client_' } -%> <%- if defined? @client_body_timeout -%> client_body_timeout <%= @client_body_timeout %>; <%- end -%> <%- if defined? @client_header_timeout -%> client_header_timeout <%= @client_header_timeout %>; <%- end -%> <%- if defined? @client_max_body_size -%> client_max_body_size <%= @client_max_body_size %>; <%- end -%> <% end -%> <% if defined? @gzip_types -%> gzip_types <%= @gzip_types %>; <% end -%> <%# make sure that allow comes before deny by forcing the allow key (if it -%> <%# exists) to be first in the output order. The hash keys also need to be -%> <%# sorted so that the ordering is stable. -%> <% if @server_cfg_prepend -%> <%- @server_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> <%- if value.is_a?(Hash) -%> <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> <%- Array(subvalue).each do |asubvalue| -%> <%= key %> <%= subkey %> <%= asubvalue %>; <%- end -%> <%- end -%> <%- else -%> <%- Array(value).each do |asubvalue| -%> <%= key %> <%= asubvalue %>; <%- end -%> <%- end -%> <%- end -%> <% end -%> <% Array(@raw_prepend).each do |line| -%> <%= line %> <% end %> <% if @root -%> root <%= @root %>; <% end -%> <% if @passenger_cgi_param -%> <%- @passenger_cgi_param.keys.sort.each do |key| -%> passenger_set_cgi_param <%= key %> <%= @passenger_cgi_param[key] %>; <%- end -%> <% end -%> <% if @passenger_set_header -%> <%- @passenger_set_header.keys.sort.each do |key| -%> passenger_set_header <%= key %> <%= @passenger_set_header[key] %>; <%- end -%> <% end -%> <% if @passenger_env_var -%> <%- @passenger_env_var.keys.sort.each do |key| -%> passenger_env_var <%= key %> <%= @passenger_env_var[key] %>; <%- end -%> <% end -%> <% if Array(@resolver).count > 0 -%> resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>; <% end -%> <%= scope.function_template(["nginx/server/locations/headers.erb"]) %> <% if @maintenance -%> <%= @maintenance_value %>; <% end -%> <% if @ssl_redirect -%> return 301 https://$host<% if @_ssl_redirect_port.to_i != 443 %>:<%= @_ssl_redirect_port %><% end %>$request_uri; <% end -%> <% if @index_files and @index_files.count > 0 and not @ssl_only -%> index <% Array(@index_files).each do |i| %> <%= i %><% end %>; <% end -%> <% if defined? @autoindex -%> autoindex <%= @autoindex %>; <% end -%> <% if defined? @log_by_lua -%> log_by_lua '<%= @log_by_lua %>'; <% end -%> <% if defined? @log_by_lua_file -%> log_by_lua_file "<%= @log_by_lua_file %>"; <% end -%> <% if @absolute_redirect -%> absolute_redirect <%= @absolute_redirect %>; <% end -%> <% if @access_log.is_a?(Array) -%> <%- @access_log.each do |log_item| -%> access_log <%= log_item %> <%= @format_log %>; <%- end -%> <% elsif @access_log == 'absent' -%> <% elsif @access_log == 'off' -%> access_log off; <% elsif not @access_log -%> access_log <%= scope['::nginx::config::log_dir'] %>/<%= @name_sanitized %>.access.log <%= @format_log %>; <% else -%> access_log <%= @access_log %> <%= @format_log %>; <% end -%> <% if @error_log.is_a?(Array) -%> <%- @error_log.each do |log_item| -%> error_log <%= log_item %>; <%- end -%> <% elsif @error_log == 'absent' -%> <% elsif not @error_log -%> error_log <%= scope['::nginx::config::log_dir'] %>/<%= @name_sanitized %>.error.log; <% else -%> error_log <%= @error_log %>; <% end -%> <% if @error_pages -%> <%- @error_pages.keys.sort.each do |key| -%> error_page <%= key %> <%= @error_pages[key] %>; <%- end -%> <% end -%> diff --git a/templates/server/server_ssl_header.erb b/templates/server/server_ssl_header.erb index 3832637..66ecd3c 100644 --- a/templates/server/server_ssl_header.erb +++ b/templates/server/server_ssl_header.erb @@ -1,149 +1,154 @@ # MANAGED BY PUPPET -<% if @rewrite_www_to_non_www -%> +<% if @rewrite_www_to_non_www || @rewrite_non_www_to_www -%> <%- @server_name.each do |s| -%> server { <%- if @listen_ip.is_a?(Array) then -%> <%- @listen_ip.each do |ip| -%> listen <%= ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%- else -%> listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%= scope.function_template(["nginx/server/server_ssl_ipv6_listen.erb"]) %> +<%- if @rewrite_www_to_non_www -%> server_name www.<%= s.gsub(/^www\./, '') %>; return 301 https://<%= s.gsub(/^www\./, '') %>$request_uri; +<%- elsif @rewrite_non_www_to_www %> + server_name <%= s.gsub(/^www\./, '') %>; + return 301 https://www.<%= s %>$request_uri; +<%- end -%> <%= scope.function_template(["nginx/server/server_ssl_settings.erb"]) %> } <% end -%> <% end -%> server { <%- if @listen_ip.is_a?(Array) then -%> <%- @listen_ip.each do |ip| -%> listen <%= ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%- else -%> listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; <%- end -%> <%= scope.function_template(["nginx/server/server_ssl_ipv6_listen.erb"]) %> server_name <%= @rewrite_www_to_non_www ? @server_name.join(" ").gsub(/(^| )(www\.)?(?=[a-z0-9])/, '') : @server_name.join(" ") %>; <%= scope.function_template(["nginx/server/server_ssl_settings.erb"]) %> <% if @maintenance -%> <%= @maintenance_value %>; <% end -%> <% if Array(@resolver).count > 0 -%> resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>; <% end -%> <%- if instance_variables.any? { |iv| iv.to_s.include? 'auth_basic' } -%> <% if defined? @auth_basic -%> auth_basic "<%= @auth_basic %>"; <% end -%> <%- if defined? @auth_basic_user_file -%> auth_basic_user_file "<%= @auth_basic_user_file %>"; <% end -%> <%- end -%> <%- if defined? @auth_request -%> auth_request <%= @auth_request %>; <%- end -%> <%- if instance_variables.any? { |iv| iv.to_s.include? 'client_' } -%> <%- if defined? @client_body_timeout -%> client_body_timeout <%= @client_body_timeout %>; <%- end -%> <%- if defined? @client_header_timeout -%> client_header_timeout <%= @client_header_timeout %>; <%- end -%> <%- if defined? @client_max_body_size -%> client_max_body_size <%= @client_max_body_size %>; <%- end -%> <% end -%> <% if defined? @gzip_types -%> gzip_types <%= @gzip_types %>; <% end -%> <% if @index_files and @index_files.count > 0 -%> index <% Array(@index_files).each do |i| %> <%= i %><% end %>; <% end -%> <% if defined? @autoindex -%> autoindex <%= @autoindex %>; <% end -%> <% if @absolute_redirect -%> absolute_redirect <%= @absolute_redirect %>; <% end -%> <% if @access_log.is_a?(Array) -%> <%- @access_log.each do |log_item| -%> access_log <%= log_item %> <%= @format_log %>; <%- end -%> <% elsif @access_log == 'absent' -%> <% elsif @access_log == 'off' -%> access_log off; <% elsif not @access_log -%> access_log <%= scope['::nginx::config::log_dir'] %>/ssl-<%= @name_sanitized %>.access.log <%= @format_log %>; <% else -%> access_log <%= @access_log %> <%= @format_log %>; <% end -%> <% if @error_log.is_a?(Array) -%> <%- @error_log.each do |log_item| -%> error_log <%= log_item %>; <%- end -%> <% elsif @error_log == 'absent' -%> <% elsif not @error_log -%> error_log <%= scope['::nginx::config::log_dir'] %>/ssl-<%= @name_sanitized %>.error.log; <% else -%> error_log <%= @error_log %>; <% end -%> <% if @error_pages -%> <%- @error_pages.keys.sort.each do |key| -%> error_page <%= key %> <%= @error_pages[key] %>; <%- end -%> <% end -%> <% if @server_cfg_prepend -%> <%- @server_cfg_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> <%- if value.is_a?(Hash) -%> <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> <%- Array(subvalue).each do |asubvalue| -%> <%= key %> <%= subkey %> <%= asubvalue %>; <%- end -%> <%- end -%> <%- else -%> <%- Array(value).each do |asubvalue| -%> <%= key %> <%= asubvalue %>; <%- end -%> <%- end -%> <%- end -%> <% end -%> <% if @server_cfg_ssl_prepend -%> <%- @server_cfg_ssl_prepend.sort_by{ |k, v| k.to_s == 'allow' ? '' : k.to_s }.each do |key,value| -%> <%- if value.is_a?(Hash) -%> <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> <%- Array(subvalue).each do |asubvalue| -%> <%= key %> <%= subkey %> <%= asubvalue %>; <%- end -%> <%- end -%> <%- else -%> <%- Array(value).each do |asubvalue| -%> <%= key %> <%= asubvalue %>; <%- end -%> <%- end -%> <%- end -%> <% end -%> <% Array(@raw_prepend).each do |line| -%> <%= line %> <% end -%> <% if @root -%> root <%= @root %>; <% end -%> <% Array(@passenger_cgi_param).each do |key,value| -%> passenger_set_cgi_param <%= key %> <%= value %>; <% end -%> <% Array(@passenger_set_header).each do |key,value| -%> passenger_set_header <%= key %> <%= value %>; <% end -%> <% Array(@passenger_env_var).each do |key,value| -%> passenger_env_var <%= key %> <%= value %>; <% end -%> <%= scope.function_template(["nginx/server/locations/headers.erb"]) %>