diff options
| -rw-r--r-- | files/itk_plus/conf.d/CentOS/ssl.conf | 75 | ||||
| -rw-r--r-- | manifests/centos/itk_plus.pp | 2 | ||||
| -rw-r--r-- | manifests/ssl/centos.pp | 4 | ||||
| -rw-r--r-- | manifests/ssl/itk_plus/centos.pp | 11 | ||||
| -rw-r--r-- | manifests/vhost/file.pp | 29 | ||||
| -rw-r--r-- | manifests/vhost/template.pp | 2 | ||||
| -rw-r--r-- | templates/itk_plus/CentOS/00-listen-ssl.conf.erb | 6 |
7 files changed, 126 insertions, 3 deletions
diff --git a/files/itk_plus/conf.d/CentOS/ssl.conf b/files/itk_plus/conf.d/CentOS/ssl.conf new file mode 100644 index 0000000..597df1b --- /dev/null +++ b/files/itk_plus/conf.d/CentOS/ssl.conf @@ -0,0 +1,75 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec diff --git a/manifests/centos/itk_plus.pp b/manifests/centos/itk_plus.pp index f73be04..0bdb744 100644 --- a/manifests/centos/itk_plus.pp +++ b/manifests/centos/itk_plus.pp @@ -5,7 +5,7 @@ class apache::centos::itk_plus inherits apache::centos::itk { } Apache::Config::Global['00-listen.conf']{ - ensure => present, + ensure => 'present', content => template("apache/itk_plus/${operatingsystem}/00-listen.conf.erb"), } diff --git a/manifests/ssl/centos.pp b/manifests/ssl/centos.pp index b2c8ad8..7bc8c89 100644 --- a/manifests/ssl/centos.pp +++ b/manifests/ssl/centos.pp @@ -5,4 +5,8 @@ class apache::ssl::centos inherits apache::ssl::base { require => Package[apache], } ::apache::config::global{ 'ssl.conf': } + + apache::config::global{'00-listen-ssl.conf': + ensure => absent, + } } diff --git a/manifests/ssl/itk_plus/centos.pp b/manifests/ssl/itk_plus/centos.pp new file mode 100644 index 0000000..d8989c9 --- /dev/null +++ b/manifests/ssl/itk_plus/centos.pp @@ -0,0 +1,11 @@ +class apache::ssl::itk_plus::centos inherits apache::ssl::centos { + include apache::ssl::itk::centos + Apache::Config::Global['ssl.conf']{ + source => "apache/itk_plus/conf.d/${operatingsystem}/ssl.conf", + } + + apache::config::global{'00-listen-ssl.conf': + ensure => 'present', + content => template("apache/itk_plus/${operatingsystem}/00-listen-ssl.conf.erb"), + } +} diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index a471359..0c01b34 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -7,6 +7,12 @@ # - absent: standardpath (default) # - else: path to deploy # +# ssl_mode: wether this vhost supports ssl or not +# - false: don't enable ssl for this vhost (default) +# - true: enable ssl for this vhost +# - force: enable ssl and redirect non-ssl to ssl +# - only: enable ssl only +# # run_mode: controls in which mode the vhost should be run, there are different setups # possible: # - normal: (*default*) run vhost with the current active worker (default: prefork) don't @@ -32,6 +38,7 @@ define apache::vhost::file( $content = 'absent', $do_includes = false, $run_mode = 'normal', + $ssl_mode = false, $mod_security = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', @@ -46,8 +53,26 @@ define apache::vhost::file( } case $run_mode { - 'itk': { include ::apache::itk::lock } - 'proxy-itk','static-itk': { include ::apache::itk_plus::lock } + 'itk': { + include ::apache::itk + include ::apache::itk::lock + if $ssl_mode { + include ::apache::ssl::itk + } + ] + 'proxy-itk','static-itk': { + include ::apache::itk_plus + include ::apache::itk_plus::lock + if $ssl_mode { + include ::apache::ssl::itk_plus + } + } + default: { + include ::apache + if $ssl_mode { + include ::apache::ssl + } + } } $vhosts_dir = $operatingsystem ? { centos => "$apache::centos::config_dir/vhosts.d", diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 36aa0cd..b4c2562 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -14,6 +14,7 @@ # - true: enable ssl for this vhost # - force: enable ssl and redirect non-ssl to ssl # - only: enable ssl only +# # php_safe_mode_exec_bins: An array of local binaries which should be linked in the # safe_mode_exec_bin for this hosting # *default*: None @@ -164,6 +165,7 @@ define apache::vhost::template( ensure => $ensure, do_includes => $do_includes, run_mode => $run_mode, + ssl_mode => $ssl_mode, mod_security => $mod_security, htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, diff --git a/templates/itk_plus/CentOS/00-listen-ssl.conf.erb b/templates/itk_plus/CentOS/00-listen-ssl.conf.erb new file mode 100644 index 0000000..1c06433 --- /dev/null +++ b/templates/itk_plus/CentOS/00-listen-ssl.conf.erb @@ -0,0 +1,6 @@ +<IfDefine HttpdLocal> +Listen 127.0.0.1:443 +</IfDefine> +<IfDefine !HttpdLocal> +Listen <%= ipaddress %>:443 +</IfDefine> |