diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp index 0d87d7d..02b40a3 100644 --- a/apache/manifests/debian.pp +++ b/apache/manifests/debian.pp @@ -180,7 +180,7 @@ class apache::debian::sslserver inherits apache::debian::common { } -define apache::debian::sslsite($root, $ssl_cert, $ssl_key, $ssl_chain) { +define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) { if $name == "default" { $site_fqdn = $homename diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index 7f2e62f..c6ac505 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -223,12 +223,27 @@ class apache::sslserver inherits apache::common { } +# Enable SSL on port 443. +# +class apache::sslserver::listen { + + apache::configfile { "ssl.conf": + content => template("apache/ssl.conf.erb"), + http => false, + require => Class["apache::sslserver"], + } + +} + + # Configure HTTPS virtual host. # # === Parameters # # $name: # FQDN of virtual host. +# $ipaddr: +# IP address of virtual host. Defaults to _default_. # $root: # Path to document root. Defaults to /srv/www/https/$fqdn # $ssl_cert: @@ -246,25 +261,31 @@ class apache::sslserver inherits apache::common { # ssl_key => "puppet:///path/to/www.example.com.key", # } # -define apache::sslsite($root="", $ssl_cert="", $ssl_key="", $ssl_chain="") { +define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") { + + include apache::sslserver::listen case $operatingsystem { debian,ubuntu: { $apache_ssldir = "/etc/ssl" apache::debian::sslsite { "${name}": + ipaddr => $ipaddr, root => $root, ssl_cert => $ssl_cert, ssl_key => $ssl_key, ssl_chain => $ssl_chain, + require => Class["apache::sslserver::listen"], } } centos,fedora: { $apache_ssldir = "/etc/pki/tls" apache::redhat::sslsite { "${name}": + ipaddr => $ipaddr, root => $root, ssl_cert => $ssl_cert, ssl_key => $ssl_key, ssl_chain => $ssl_chain, + require => Class["apache::sslserver::listen"], } } default: { diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp index c4d1761..d476e62 100644 --- a/apache/manifests/redhat.pp +++ b/apache/manifests/redhat.pp @@ -181,7 +181,7 @@ class apache::redhat::sslserver { } -define apache::redhat::sslsite($root, $ssl_cert, $ssl_key, $ssl_chain) { +define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) { if $name == "default" { $site_fqdn = $homename diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb index 7f85259..5cc06cd 100644 --- a/apache/templates/site.https.conf.erb +++ b/apache/templates/site.https.conf.erb @@ -1,91 +1,4 @@ -# -# This is the Apache server configuration file providing SSL support. -# It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these -# directives see -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# - -# -# Load SSL module if not loaded -# - -LoadModule ssl_module modules/mod_ssl.so - - -# -# When we also provide SSL we have to listen to the -# the HTTPS port in addition. -# -Listen 443 - -<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%> -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# -# Some MIME-types for downloading Certificates and CRLs -# -AddType application/x-x509-ca-cert .crt -AddType application/x-pkcs7-crl .crl - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is a internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache -SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) -SSLSessionCacheTimeout 300 - -# Semaphore: -# Configure the path to the mutual exclusion semaphore the -# SSL engine uses internally for inter-process synchronization. -SSLMutex default - -# Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the -# SSL library. The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -SSLRandomSeed startup file:/dev/urandom 256 -SSLRandomSeed connect builtin -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 - -# -# Use "SSLCryptoDevice" to enable any supported hardware -# accelerators. Use "openssl engine -v" to list supported -# engine names. NOTE: If you enable an accelerator and the -# server does not start, consult the error logs and ensure -# your accelerator is functioning properly. -# -SSLCryptoDevice builtin -#SSLCryptoDevice ubsec -<% end -%> - -## -## SSL Virtual Host Context -## - - +:443> # General setup for the virtual host, inherited from global configuration DocumentRoot "/srv/www/https/<%= site_fqdn %>" @@ -236,5 +149,4 @@ SetEnvIf User-Agent ".*MSIE.*" \ Include <%= site_confdir %> - - + diff --git a/apache/templates/ssl.conf.erb b/apache/templates/ssl.conf.erb new file mode 100644 index 0000000..9edec97 --- /dev/null +++ b/apache/templates/ssl.conf.erb @@ -0,0 +1,63 @@ + +LoadModule ssl_module modules/mod_ssl.so + + +Listen 443 +<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%> +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec +<% end -%>