From 49064cc0ad4f89dd7aaa2690436c30a26a0385f9 Mon Sep 17 00:00:00 2001 From: o Date: Fri, 14 Nov 2014 11:47:35 +0100 Subject: sni: make ssl_cert configurable per vhost to support sni we configure ssl_certs on a vhost basis. additionally this commit introduces a generic configuration hash which will be used to replace most other parameters in the future. --- files/include.d/CentOS/ssl_defaults.inc | 134 ------------------ files/include.d/Debian/ssl_defaults.inc | 144 ------------------- files/include.d/OpenBSD/ssl_defaults.inc | 5 - files/vhosts.d/CentOS/0-default_ssl.conf | 21 --- files/vhosts.d/Debian/0-default_ssl.conf | 170 ----------------------- files/vhosts.d/Gentoo/0-default_ssl.conf | 200 --------------------------- files/vhosts.d/OpenBSD/0-default_ssl.conf | 9 -- manifests/init.pp | 14 +- manifests/ssl/base.pp | 13 +- manifests/vhost.pp | 3 + manifests/vhost/file.pp | 1 + manifests/vhost/gitweb.pp | 2 + manifests/vhost/modperl.pp | 2 + manifests/vhost/passenger.pp | 2 + manifests/vhost/php/drupal.pp | 2 + manifests/vhost/php/gallery2.pp | 2 + manifests/vhost/php/joomla.pp | 2 + manifests/vhost/php/mediawiki.pp | 2 + manifests/vhost/php/silverstripe.pp | 2 + manifests/vhost/php/simplemachine.pp | 2 + manifests/vhost/php/spip.pp | 2 + manifests/vhost/php/standard.pp | 2 + manifests/vhost/php/typo3.pp | 2 + manifests/vhost/php/webapp.pp | 2 + manifests/vhost/php/wordpress.pp | 2 + manifests/vhost/proxy.pp | 2 + manifests/vhost/redirect.pp | 2 + manifests/vhost/static.pp | 2 + manifests/vhost/template.pp | 2 + manifests/vhost/webdav.pp | 2 + templates/include.d/ssl_defaults.inc.erb | 81 +++++++++++ templates/vhosts/0-default_ssl.conf.erb | 21 +++ templates/vhosts/default.erb | 4 +- templates/vhosts/partials/header_default.erb | 2 + templates/vhosts/partials/ssl.erb | 5 + 35 files changed, 173 insertions(+), 692 deletions(-) delete mode 100644 files/include.d/CentOS/ssl_defaults.inc delete mode 100644 files/include.d/Debian/ssl_defaults.inc delete mode 100644 files/include.d/OpenBSD/ssl_defaults.inc delete mode 100644 files/vhosts.d/CentOS/0-default_ssl.conf delete mode 100644 files/vhosts.d/Debian/0-default_ssl.conf delete mode 100644 files/vhosts.d/Gentoo/0-default_ssl.conf delete mode 100644 files/vhosts.d/OpenBSD/0-default_ssl.conf create mode 100644 templates/include.d/ssl_defaults.inc.erb create mode 100644 templates/vhosts/0-default_ssl.conf.erb create mode 100644 templates/vhosts/partials/ssl.erb diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc deleted file mode 100644 index 776b7c3..0000000 --- a/files/include.d/CentOS/ssl_defaults.inc +++ /dev/null @@ -1,134 +0,0 @@ -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Protocol support: -# List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol All -SSLv2 -SSLv3 - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - -SSLHonorCipherOrder on - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. -#SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# set STS Header -Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc deleted file mode 100644 index 2599a4f..0000000 --- a/files/include.d/Debian/ssl_defaults.inc +++ /dev/null @@ -1,144 +0,0 @@ -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog /var/log/apache2/ssl_error_log -TransferLog /var/log/apache2/ssl_access_log -LogLevel warn - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Protocol support: -# List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol All -SSLv2 -SSLv3 - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH -SSLHonorCipherOrder on - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. -#SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - -# set STS Header -Header add Strict-Transport-Security "max-age=15768000" diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc deleted file mode 100644 index 67cf36f..0000000 --- a/files/include.d/OpenBSD/ssl_defaults.inc +++ /dev/null @@ -1,5 +0,0 @@ -SSLEngine on -#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH -SSLCertificateFile /etc/ssl/server.crt -SSLCertificateKeyFile /etc/ssl/private/server.key diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf deleted file mode 100644 index d018bcc..0000000 --- a/files/vhosts.d/CentOS/0-default_ssl.conf +++ /dev/null @@ -1,21 +0,0 @@ -############################################################ -### This file is managed by PUPPET! #### -### Only modify in repo or you will loose the changes! #### -############################################################ - - - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - DocumentRoot /var/www/html - - # Use separate log files for the SSL virtual host; note that LogLevel - # is not inherited from httpd.conf. - ErrorLog logs/ssl_error_log - TransferLog logs/ssl_access_log - LogLevel warn - - SSLCertificateFile /etc/pki/tls/certs/localhost.crt - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - - -# vim: ts=4 filetype=apache diff --git a/files/vhosts.d/Debian/0-default_ssl.conf b/files/vhosts.d/Debian/0-default_ssl.conf deleted file mode 100644 index 870215c..0000000 --- a/files/vhosts.d/Debian/0-default_ssl.conf +++ /dev/null @@ -1,170 +0,0 @@ - - - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/ - - Options FollowSymLinks - AllowOverride None - - - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Order allow,deny - allow from all - - - ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - - AllowOverride None - Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - Order allow,deny - Allow from all - - - ErrorLog /var/log/apache2/error.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel warn - - CustomLog /var/log/apache2/ssl_access.log combined - - Alias /doc/ "/usr/share/doc/" - - Options Indexes MultiViews FollowSymLinks - AllowOverride None - Order deny,allow - Deny from all - Allow from 127.0.0.0/255.0.0.0 ::1/128 - - - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/ssl/certs/ - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl/ - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # Access Control: - # With SSLRequire you can do per-directory access control based - # on arbitrary complex boolean expressions containing server - # variable checks and other lookup directives. The syntax is a - # mixture between C and Perl. See the mod_ssl documentation - # for more details. - # - #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even - # under a "Satisfy any" situation, i.e. when it applies access is denied - # and no other module can change it. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf deleted file mode 100644 index a123de8..0000000 --- a/files/vhosts.d/Gentoo/0-default_ssl.conf +++ /dev/null @@ -1,200 +0,0 @@ -############################################################ -#### this file is managed by PUPPET #### -#### only modify in svn or you will loose the changes ! #### -############################################################ - - - -# see bug #178966 why this is in here - -# When we also provide SSL we have to listen to the HTTPS port -# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" -Listen 443 -NameVirtualHost *:443 -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" sslcombined -UseCanonicalName On - - - Include /etc/apache2/vhosts.d/default_vhost.include - ErrorLog /var/log/apache2/ssl_error_log - - - TransferLog /var/log/apache2/ssl_access_log - - - ## SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - ## SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH - - SSLCertificateFile /e/certs/server.crt - SSLCertificateKeyFile /e/certs/server.key - - SSLOptions +StdEnvVars - - - RewriteEngine on - RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) - RewriteRule .* - [F] - ServerSignature Off - - ## Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If the certificate - # is encrypted, then you will be prompted for a pass phrase. Note that a - # kill -HUP will prompt again. Keep in mind that if you have both an RSA - # and a DSA certificate you can configure both in parallel (to also allow - # the use of DSA ciphers, etc.) - #SSLCertificateFile /etc/apache2/ssl/server.crt - #SSLCertificateFile /etc/apache2/ssl/server-dsa.crt - - ## Server Private Key: - # If the key is not combined with the certificate, use this directive to - # point at the key file. Keep in mind that if you've both a RSA and a DSA - # private key you can configure both in parallel (to also allow the use of - # DSA ciphers, etc.) - #SSLCertificateKeyFile /etc/apache2/ssl/server.key - #SSLCertificateKeyFile /etc/apache2/ssl/server-dsa.key - - ## Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the concatenation of - # PEM encoded CA certificates which form the certificate chain for the - # server certificate. Alternatively the referenced file can be the same as - # SSLCertificateFile when the CA certificates are directly appended to the - # server certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl/ca.crt - - ## Certificate Authority (CA): - # Set the CA certificate verification path where to find CA certificates - # for client authentication or alternatively one huge file containing all - # of them (file must be PEM encoded). - # Note: Inside SSLCACertificatePath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCACertificatePath /etc/apache2/ssl/ssl.crt - #SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt - - ## Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client authentication - # or alternatively one huge file containing all of them (file must be PEM - # encoded). - # Note: Inside SSLCARevocationPath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCARevocationPath /etc/apache2/ssl/ssl.crl - #SSLCARevocationFile /etc/apache2/ssl/ca-bundle.crl - - ## Client Authentication (Type): - # Client certificate verification type and depth. Types are none, optional, - # require and optional_no_ca. Depth is a number which specifies how deeply - # to verify the certificate issuer chain before deciding the certificate is - # not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - ## Access Control: - # With SSLRequire you can do per-directory access control based on arbitrary - # complex boolean expressions containing server variable checks and other - # lookup directives. The syntax is a mixture between C and Perl. See the - # mod_ssl documentation for more details. - # - # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - ## SSL Engine Options: - # Set various options for the SSL engine. - - ## FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that the - # standard Auth/DBMAuth methods can be used for access control. The user - # name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - - ## ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server - # (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates into - # CGI scripts. - - ## StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the exportation - # for CGI and SSI requests only. - - ## StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under - # a "Satisfy any" situation, i.e. when it applies access is denied and no - # other module can change it. - - ## OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - - SSLOptions +StdEnvVars - - - ## SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait - # for the close notify alert from client. When you need a different - # shutdown approach you can use one of the following variables: - - ## ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates the - # SSL/TLS standard but is needed for some brain-dead browsers. Use this when - # you receive I/O errors because of the standard approach where mod_ssl - # sends the close notify alert. - - ## ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation works - # correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - ## Per-Server Logging: - # The home of a custom SSL log file. Use this when you want a compact - # non-error SSL logfile on a virtual host basis. - - CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - - - - -# vim: ts=4 filetype=apache diff --git a/files/vhosts.d/OpenBSD/0-default_ssl.conf b/files/vhosts.d/OpenBSD/0-default_ssl.conf deleted file mode 100644 index 53ea262..0000000 --- a/files/vhosts.d/OpenBSD/0-default_ssl.conf +++ /dev/null @@ -1,9 +0,0 @@ - - Include include.d/defaults.inc - Include include.d/ssl_defaults.inc - - DocumentRoot /var/www/htdocs/default/www/ - ErrorLog /var/www/htdocs/default/logs/default_error_log - CustomLog /var/www/htdocs/default/logs/default_access_log combined - - diff --git a/manifests/init.pp b/manifests/init.pp index a974c9c..badac8f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -14,11 +14,15 @@ # manage a simple apache class apache( - $cluster_node = '', - $manage_shorewall = false, - $manage_munin = false, - $no_default_site = false, - $ssl = false + $cluster_node = '', + $manage_shorewall = false, + $manage_munin = false, + $no_default_site = false, + $ssl = false, + $default_ssl_certificate_file = absent, + $default_ssl_certificate_key_file = absent, + $default_ssl_certificate_chain_file = absent, + $ssl_cipher_suite = "${certs::ssl_config::ciphers}" ) { case $::operatingsystem { centos: { include apache::centos } diff --git a/manifests/ssl/base.pp b/manifests/ssl/base.pp index 65bd5f7..3f32913 100644 --- a/manifests/ssl/base.pp +++ b/manifests/ssl/base.pp @@ -1,8 +1,15 @@ # basic defaults for ssl support -class apache::ssl::base { - ::apache::config::include{ 'ssl_defaults.inc': } +class apache::ssl::base ( +) { + apache::config::include { + 'ssl_defaults.inc': + content => template('apache/include.d/ssl_defaults.inc.erb'); + } if !$apache::no_default_site { - ::apache::vhost::file{ '0-default_ssl': } + apache::vhost::file{ + '0-default_ssl': + content => template('apache/vhosts/0-default_ssl.conf.erb'); + } } } diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 0b3e4f3..da1ce90 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -30,6 +30,7 @@ # define apache::vhost( $ensure = present, + $configuration = {}, $path = 'absent', $path_is_webdir = false, $logpath = 'absent', @@ -72,6 +73,7 @@ define apache::vhost( 'file': { apache::vhost::file{$name: ensure => $ensure, + configuration => $configuration, vhost_source => $vhost_source, vhost_destination => $vhost_destination, do_includes => $do_includes, @@ -85,6 +87,7 @@ define apache::vhost( 'template': { apache::vhost::template{$name: ensure => $ensure, + configuration => $configuration, path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index 087d478..686cb1a 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -40,6 +40,7 @@ # define apache::vhost::file( $ensure = present, + $configuration = {}, $vhost_source = 'absent', $vhost_destination = 'absent', $content = 'absent', diff --git a/manifests/vhost/gitweb.pp b/manifests/vhost/gitweb.pp index dab4983..6dd8643 100644 --- a/manifests/vhost/gitweb.pp +++ b/manifests/vhost/gitweb.pp @@ -6,6 +6,7 @@ # define apache::vhost::gitweb( $ensure = present, + $configuration = {}, $domain = 'absent', $logmode = 'default', $domainalias = 'absent', @@ -28,6 +29,7 @@ define apache::vhost::gitweb( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => '/var/www/git', path_is_webdir => true, logpath => $::operatingsystem ? { diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index c93e6cf..31e46b6 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -27,6 +27,7 @@ # define apache::vhost::modperl( $ensure = present, + $configuration = configuration, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -120,6 +121,7 @@ define apache::vhost::modperl( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, logmode => $logmode, vhost_mode => $vhost_mode, diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 6886f13..4621890 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -14,6 +14,7 @@ # define apache::vhost::passenger( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -105,6 +106,7 @@ define apache::vhost::passenger( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => "${real_path}/www/public", path_is_webdir => true, template_partial => $template_partial, diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 4a41a20..5b15e6a 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -33,6 +33,7 @@ # define apache::vhost::php::drupal( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -104,6 +105,7 @@ define apache::vhost::php::drupal( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index 78d5256..3acb011 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -32,6 +32,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::gallery2( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -100,6 +101,7 @@ define apache::vhost::php::gallery2( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 38d41e7..eea39b5 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::joomla( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -107,6 +108,7 @@ define apache::vhost::php::joomla( ::apache::vhost::php::webapp{ $name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index 3068c79..25881ca 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::mediawiki( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -66,6 +67,7 @@ define apache::vhost::php::mediawiki( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index 81b0d7f..1f19eab 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::silverstripe( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -77,6 +78,7 @@ define apache::vhost::php::silverstripe( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index 48386b6..3fa11a7 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::simplemachine( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -72,6 +73,7 @@ define apache::vhost::php::simplemachine( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 74be5d4..e33c1df 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::spip( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -69,6 +70,7 @@ define apache::vhost::php::spip( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 86373a4..3870707 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::standard( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -266,6 +267,7 @@ define apache::vhost::php::standard( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, path_is_webdir => $path_is_webdir, vhost_mode => $vhost_mode, diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index a963c70..d9e877a 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::typo3( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -91,6 +92,7 @@ define apache::vhost::php::typo3( # create vhost configuration file ::apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 1569260..225b45b 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::webapp( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -106,6 +107,7 @@ define apache::vhost::php::webapp( # create vhost configuration file ::apache::vhost::php::standard{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 00e1898..be77eba 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -26,6 +26,7 @@ # - semianonym: Don't log ips for CustomLog, log normal ErrorLog define apache::vhost::php::wordpress( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -75,6 +76,7 @@ define apache::vhost::php::wordpress( # create vhost configuration file apache::vhost::php::webapp{$name: ensure => $ensure, + configuration => $configuration, domain => $domain, domainalias => $domainalias, server_admin => $server_admin, diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp index 1c3b500..95ae205 100644 --- a/manifests/vhost/proxy.pp +++ b/manifests/vhost/proxy.pp @@ -21,6 +21,7 @@ # define apache::vhost::proxy( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $htpasswd_file = 'absent', @@ -38,6 +39,7 @@ define apache::vhost::proxy( # we use the options field as the target_url ::apache::vhost::template{$name: ensure => $ensure, + configuration => $configuration, template_partial => 'apache/vhosts/proxy/partial.erb', domain => $domain, path => 'really_absent', diff --git a/manifests/vhost/redirect.pp b/manifests/vhost/redirect.pp index a106c59..0ac40cc 100644 --- a/manifests/vhost/redirect.pp +++ b/manifests/vhost/redirect.pp @@ -21,6 +21,7 @@ # define apache::vhost::redirect( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $target_url, @@ -32,6 +33,7 @@ define apache::vhost::redirect( # we use the options field as the target_url ::apache::vhost::template{$name: ensure => $ensure, + configuration => $configuration, template_partial => 'apache/vhosts/redirect/partial.erb', domain => $domain, path => 'really_absent', diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index 21b062e..f919766 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -14,6 +14,7 @@ # define apache::vhost::static( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -58,6 +59,7 @@ define apache::vhost::static( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, template_partial => $template_partial, vhost_mode => $vhost_mode, diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 55d41d9..8e9b798 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -42,6 +42,7 @@ # define apache::vhost::template( $ensure = present, + $configuration = {}, $path = 'absent', $path_is_webdir = false, $logpath = 'absent', @@ -133,6 +134,7 @@ define apache::vhost::template( } apache::vhost::file{$name: + configuration => $configuration, ensure => $ensure, do_includes => $do_includes, run_mode => $run_mode, diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index e1b6c3f..ff9e8ab 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -25,6 +25,7 @@ # define apache::vhost::webdav( $ensure = present, + $configuration = {}, $domain = 'absent', $domainalias = 'absent', $server_admin = 'absent', @@ -93,6 +94,7 @@ define apache::vhost::webdav( # create vhost configuration file ::apache::vhost{$name: ensure => $ensure, + configuration => $configuration, path => $path, path_is_webdir => $path_is_webdir, logpath => $logpath, diff --git a/templates/include.d/ssl_defaults.inc.erb b/templates/include.d/ssl_defaults.inc.erb new file mode 100644 index 0000000..236eb78 --- /dev/null +++ b/templates/include.d/ssl_defaults.inc.erb @@ -0,0 +1,81 @@ +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol All -SSLv2 -SSLv3 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite "<%= scope.lookupvar('apache::ssl_cipher_suite') %>" + +SSLHonorCipherOrder on + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# set STS Header +Header add Strict-Transport-Security "max-age=15768000" diff --git a/templates/vhosts/0-default_ssl.conf.erb b/templates/vhosts/0-default_ssl.conf.erb new file mode 100644 index 0000000..86e4979 --- /dev/null +++ b/templates/vhosts/0-default_ssl.conf.erb @@ -0,0 +1,21 @@ +############################################################ +### This file is managed by PUPPET! #### +### Only modify in repo or you will loose the changes! #### +############################################################ + + + Include include.d/defaults.inc + Include include.d/ssl_defaults.inc + DocumentRoot /var/www/html + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/ssl_error_log + TransferLog logs/ssl_access_log + LogLevel warn + +<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb', + {'configuration' => {}}]) %> + + +# vim: ts=4 filetype=apache diff --git a/templates/vhosts/default.erb b/templates/vhosts/default.erb index 79e713d..f911236 100644 --- a/templates/vhosts/default.erb +++ b/templates/vhosts/default.erb @@ -7,7 +7,9 @@ end vhost_parts.each do |vhost_part| -%> > -<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', {'vhost_part' => vhost_part } ]) %> +<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb', + {'vhost_part' => vhost_part, + 'configuration' => configuration,}]) %> <%= scope.function_template(['apache/vhosts/partials/logs.erb']) %> diff --git a/templates/vhosts/partials/header_default.erb b/templates/vhosts/partials/header_default.erb index 266fc79..cd4d04c 100644 --- a/templates/vhosts/partials/header_default.erb +++ b/templates/vhosts/partials/header_default.erb @@ -1,6 +1,8 @@ Include include.d/defaults.inc <% if vhost_part == :ssl -%> Include include.d/ssl_defaults.inc +<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb', + {'configuration' => configuration}]) %> <% end -%> ServerName <%= @servername %> <% unless @serveralias.empty? || (@serveralias == 'absent') -%> diff --git a/templates/vhosts/partials/ssl.erb b/templates/vhosts/partials/ssl.erb new file mode 100644 index 0000000..24e28f5 --- /dev/null +++ b/templates/vhosts/partials/ssl.erb @@ -0,0 +1,5 @@ + SSLCertificateFile <%= configuration['ssl_certificate_file'] || scope.lookupvar('apache::default_ssl_certificate_file') %> + SSLCertificateKeyFile <%= configuration['ssl_certificate_key_file'] || scope.lookupvar('apache::default_ssl_certificate_key_file') %> +<% if configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') != 'absent' -%> + SSLCertificateChainFile <%= configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') %> +<% end -%> -- cgit v1.2.3