apache: Add support for HTTP Strict Transport Security

2013-08-14 14:31:23 +03:00 · 2013-08-14 14:31:23 +03:00 · e6d7688bdc
commit e6d7688bdc
parent a3b970ab8e
4 changed files with 20 additions and 3 deletions
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@ -186,7 +186,7 @@ class apache::debian::sslserver inherits apache::debian::common {
 }


-define apache::debian::sslsite($first, $ipaddr, $root,
+define apache::debian::sslsite($first, $hsts, $ipaddr, $root,
                               $ssl_cert, $ssl_key, $ssl_chain) {

    if $name == "default" {
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@ -266,6 +266,9 @@ class apache::sslserver::listen {
 #   $first:
 #       Bool for whether this is the first (default) vhost
 #       when using NameVirtualHost. Defaults to false.
+#   $hsts:
+#       Bool for whether to enable HTTP Strict Transport Security for this
+#       virtual host. Defaults to false.
 #   $ipaddr:
 #       IP address of virtual host. Defaults to _default_.
 #   $root:
@ -285,15 +288,21 @@ class apache::sslserver::listen {
 #     ssl_key  => "puppet:///path/to/www.example.com.key",
 # }
 #
-define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
+define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
+                       $ssl_cert="", $ssl_key="", $ssl_chain="") {

    include apache::sslserver::listen

+    if $hsts == true {
+        include apache::mod::headers
+    }
+
    case $::operatingsystem {
        "debian","ubuntu": {
            $apache_ssldir = "/etc/ssl"
            apache::debian::sslsite { $name:
                first     => $first,
+                hsts      => $hsts,
                ipaddr    => $ipaddr,
                root      => $root,
                ssl_cert  => $ssl_cert,
@ -306,6 +315,7 @@ define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert=""
            $apache_ssldir = "/etc/pki/tls"
            apache::redhat::sslsite { $name:
                first     => $first,
+                hsts      => $hsts,
                ipaddr    => $ipaddr,
                root      => $root,
                ssl_cert  => $ssl_cert,
--- a/apache/manifests/redhat.pp
+++ b/apache/manifests/redhat.pp
@ -225,7 +225,7 @@ class apache::redhat::sslserver {
 }


-define apache::redhat::sslsite($first, $ipaddr, $root,
+define apache::redhat::sslsite($first, $hsts, $ipaddr, $root,
                               $ssl_cert, $ssl_key, $ssl_chain) {

    if $name == "default" {
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@ -148,6 +148,13 @@ BrowserMatch "MSIE [2-5]" \
 #   compact non-error SSL logfile on a virtual host basis.
 #CustomLog logs/ssl_request_log \
 #          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+<% if @hsts == true -%>
+
+# Enable HTTP Strict Transport Security
+<IfModule mod_headers.c>
+    Header always set Strict-Transport-Security "max-age=15768000"
+</IfModule>
+<% end -%>

 Include <%= @site_confdir %>/*.conf