Added support for IP-based SSL virtual hosts in apache

apache/manifests/debian.pp

@@ -180,7 +180,7 @@ class apache::debian::sslserver inherits apache::debian::common {
 }
 
 
-define apache::debian::sslsite($root, $ssl_cert, $ssl_key, $ssl_chain) {
+define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
 
     if $name == "default" {
         $site_fqdn = $homename

apache/manifests/init.pp

@@ -223,12 +223,27 @@ class apache::sslserver inherits apache::common {
 }
 
 
+# Enable SSL on port 443.
+#
+class apache::sslserver::listen {
+
+    apache::configfile { "ssl.conf":
+        content => template("apache/ssl.conf.erb"),
+        http    => false,
+        require => Class["apache::sslserver"],
+    }
+
+}
+
+
 # Configure HTTPS virtual host.
 #
 # === Parameters
 #
 #   $name:
 #       FQDN of virtual host.
+#   $ipaddr:
+#       IP address of virtual host. Defaults to _default_.
 #   $root:
 #       Path to document root. Defaults to /srv/www/https/$fqdn
 #   $ssl_cert:
@@ -246,25 +261,31 @@ class apache::sslserver inherits apache::common {
 #     ssl_key  => "puppet:///path/to/www.example.com.key",
 # }
 #
-define apache::sslsite($root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
+define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
+
+    include apache::sslserver::listen
 
     case $operatingsystem {
         debian,ubuntu: {
             $apache_ssldir = "/etc/ssl"
             apache::debian::sslsite { "${name}":
+                ipaddr    => $ipaddr,
                 root      => $root,
                 ssl_cert  => $ssl_cert,
                 ssl_key   => $ssl_key,
                 ssl_chain => $ssl_chain,
+                require   => Class["apache::sslserver::listen"],
             }
         }
         centos,fedora: {
             $apache_ssldir = "/etc/pki/tls"
             apache::redhat::sslsite { "${name}":
+                ipaddr    => $ipaddr,
                 root      => $root,
                 ssl_cert  => $ssl_cert,
                 ssl_key   => $ssl_key,
                 ssl_chain => $ssl_chain,
+                require   => Class["apache::sslserver::listen"],
             }
         }
         default: {

apache/manifests/redhat.pp

@@ -181,7 +181,7 @@ class apache::redhat::sslserver {
 }
 
 
-define apache::redhat::sslsite($root, $ssl_cert, $ssl_key, $ssl_chain) {
+define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
 
     if $name == "default" {
         $site_fqdn = $homename

apache/templates/site.https.conf.erb

@@ -1,91 +1,4 @@
-#
+<VirtualHost <%= ipaddr %>:443>
-# This is the Apache server configuration file providing SSL support.
-# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these 
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
-# 
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
-#
-
-#
-# Load SSL module if not loaded
-#
-<IfModule !mod_ssl.c>
-LoadModule ssl_module modules/mod_ssl.so
-</IfModule>
-
-#
-# When we also provide SSL we have to listen to the 
-# the HTTPS port in addition.
-#
-Listen 443
-
-<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
-##
-##  SSL Global Context
-##
-##  All SSL configuration in this context applies both to
-##  the main server and all SSL-enabled virtual hosts.
-##
-
-#
-#   Some MIME-types for downloading Certificates and CRLs
-#
-AddType application/x-x509-ca-cert .crt
-AddType application/x-pkcs7-crl    .crl
-
-#   Pass Phrase Dialog:
-#   Configure the pass phrase gathering process.
-#   The filtering dialog program (`builtin' is a internal
-#   terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog  builtin
-
-#   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
-#   to use and second the expiring timeout (in seconds).
-#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
-SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout  300
-
-#   Semaphore:
-#   Configure the path to the mutual exclusion semaphore the
-#   SSL engine uses internally for inter-process synchronization. 
-SSLMutex default
-
-#   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
-#   SSL library. The seed data should be of good random quality.
-#   WARNING! On some platforms /dev/random blocks if not enough entropy
-#   is available. This means you then cannot use the /dev/random device
-#   because it would lead to very long connection times (as long as
-#   it requires to make more entropy available). But usually those
-#   platforms additionally provide a /dev/urandom device which doesn't
-#   block. So, if available, use this one instead. Read the mod_ssl User
-#   Manual for more details.
-SSLRandomSeed startup file:/dev/urandom  256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random  512
-#SSLRandomSeed connect file:/dev/random  512
-#SSLRandomSeed connect file:/dev/urandom 512
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names.  NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly. 
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
-<% end -%>
-
-##
-## SSL Virtual Host Context
-##
-
-<VirtualHost _default_:443>
 
 # General setup for the virtual host, inherited from global configuration
 DocumentRoot "/srv/www/https/<%= site_fqdn %>"
@@ -236,5 +149,4 @@ SetEnvIf User-Agent ".*MSIE.*" \
 
 Include <%= site_confdir %>
 
-</VirtualHost>                                  
+</VirtualHost>
-

apache/templates/ssl.conf.erb

@@ -0,0 +1,63 @@
+<IfModule !mod_ssl.c>
+LoadModule ssl_module modules/mod_ssl.so
+</IfModule>
+
+Listen 443
+<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog  builtin
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
+SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout  300
+
+#   Semaphore:
+#   Configure the path to the mutual exclusion semaphore the
+#   SSL engine uses internally for inter-process synchronization. 
+SSLMutex default
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+<% end -%>