tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added support for IP-based SSL virtual hosts in apache

Browse source
This commit is contained in:
Ossi Salmi 2011-05-26 16:50:39 +03:00 committed by Timo Mkinen
parent f31cd3608d
commit 9cc2c06922
5 changed files with 89 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apache/manifests/debian.pp
View file

@ -180,7 +180,7 @@ class apache::debian::sslserver inherits apache::debian::common {
}
define apache::debian::sslsite($root, $ssl_cert, $ssl_key, $ssl_chain) {
define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
if $name == "default" {
$site_fqdn = $homename

23
apache/manifests/init.pp
View file

@ -223,12 +223,27 @@ class apache::sslserver inherits apache::common {
}
# Enable SSL on port 443.
#
class apache::sslserver::listen {
apache::configfile { "ssl.conf":
content => template("apache/ssl.conf.erb"),
http => false,
require => Class["apache::sslserver"],
}
}
# Configure HTTPS virtual host.
#
# === Parameters
#
# $name:
# FQDN of virtual host.
# $ipaddr:
# IP address of virtual host. Defaults to _default_.
# $root:
# Path to document root. Defaults to /srv/www/https/$fqdn
# $ssl_cert:
@ -246,25 +261,31 @@ class apache::sslserver inherits apache::common {
# ssl_key => "puppet:///path/to/www.example.com.key",
# }
#
define apache::sslsite($root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
include apache::sslserver::listen
case $operatingsystem {
debian,ubuntu: {
$apache_ssldir = "/etc/ssl"
apache::debian::sslsite { "${name}":
ipaddr => $ipaddr,
root => $root,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
require => Class["apache::sslserver::listen"],
}
}
centos,fedora: {
$apache_ssldir = "/etc/pki/tls"
apache::redhat::sslsite { "${name}":
ipaddr => $ipaddr,
root => $root,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
require => Class["apache::sslserver::listen"],
}
}
default: {

2
apache/manifests/redhat.pp
View file

@ -181,7 +181,7 @@ class apache::redhat::sslserver {
}
define apache::redhat::sslsite($root, $ssl_cert, $ssl_key, $ssl_chain) {
define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
if $name == "default" {
$site_fqdn = $homename

90
apache/templates/site.https.conf.erb
View file

@ -1,91 +1,4 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
#
# Load SSL module if not loaded
#
<IfModule !mod_ssl.c>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
<% end -%>
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
<VirtualHost <%= ipaddr %>:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/srv/www/https/<%= site_fqdn %>"
@ -237,4 +150,3 @@ SetEnvIf User-Agent ".*MSIE.*" \
Include <%= site_confdir %>
</VirtualHost>

63
apache/templates/ssl.conf.erb Normal file
View file

@ -0,0 +1,63 @@
<IfModule !mod_ssl.c>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
<% end -%>