From b77decaf8aa51700eb1637b730b459ed34d68bdf Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Tue, 16 Jun 2015 12:39:43 +0300
Subject: [PATCH] apache: Add support for configuring SSLProxy with key
 authentication

---
 apache/manifests/init.pp           | 35 ++++++++++++++++++++++++++++++
 apache/templates/sslproxy.conf.erb |  4 ++++
 2 files changed, 39 insertions(+)
 create mode 100644 apache/templates/sslproxy.conf.erb

diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index d55842a..3f56f11 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -495,6 +495,41 @@ class apache::proxy($port="8080",
 }
 
 
+# Configure Apache SSLProxy with key authentication.
+#
+class apache::sslproxy(
+  $ssl_key="${::puppet_ssldir}/private_keys/${::homename}.pem",
+  $ssl_cert="${::puppet_ssldir}/certs/${::homename}.pem",
+  $ssl_ca="${::puppet_ssldir}/certs/ca.pem",
+) {
+
+  include ssl
+
+  $ssl_bundle = "${ssl::private}/apache-sslproxy.pem"
+
+  exec { 'generate-sslproxy-pem':
+    path    => '/bin:/usr/bin:/sbin:/usr/sbin',
+    command => "/bin/sh -c 'umask 077 ; cat ${ssl_key} ${ssl_cert} > ${ssl_bundle}'",
+    creates => $ssl_bundle,
+  }
+
+  file { $ssl_bundle:
+    ensure  => present,
+    mode    => '0600',
+    owner   => 'root',
+    group   => 'root',
+    require => Exec['generate-sslproxy-pem'],
+  }
+
+  apache::configfile { 'sslproxy.conf':
+    http    => false,
+    content => template('apache/sslproxy.conf'),
+    require => File[$ssl_bundle],
+  }
+
+}
+
+
 # Install mod_auth_kerb.
 #
 class apache::mod::auth_kerb($servicename=undef) {
diff --git a/apache/templates/sslproxy.conf.erb b/apache/templates/sslproxy.conf.erb
new file mode 100644
index 0000000..877ffd5
--- /dev/null
+++ b/apache/templates/sslproxy.conf.erb
@@ -0,0 +1,4 @@
+SSLProxyEngine on
+SSLProxyMachineCertificateFile <%= @ssl_bundle %>
+SSLProxyCACertificateFile <%= @ssl_ca %>
+SSLProxyVerify require