Made SPDY a toggle param.

Added ssl_ciphers and ssl_protocols as params which default to values as proposed on nginx.org. If SSL vhost then ssl is added to listen directive as proposed on nginx.org.
voxpupuli · Jun 27, 2013 · e0e5757 · e0e5757
1 parent 92fb4ae
commit e0e5757
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
@@ -24,6 +24,9 @@
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
+#   [*ssl_protocols*]       - SSL protocols enabled. Defaults to 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'.
+#   [*ssl_ciphers*]         - SSL ciphers enabled. Defaults to 'HIGH:!aNULL:!MD5'.
+#   [*spdy*]                - Toggles SPDY protocol.
 #   [*server_name*]         - List of vhostnames for which this vhost will respond. Default [$name].
 #   [*www_root*]            - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy
 #   [*rewrite_www_to_non_www*]  - Adds a server directive and rewrite rule to
@@ -69,6 +72,9 @@
   $ssl_cert               = undef,
   $ssl_key                = undef,
   $ssl_port               = '443',
+  $ssl_protocols          = 'SSLv3 TLSv1 TLSv1.1 TLSv1.2',
+  $ssl_ciphers            = 'HIGH:!aNULL:!MD5',
+  $spdy                   = $nginx::params::nx_spdy,
   $proxy                  = undef,
   $proxy_read_timeout     = $nginx::params::nx_proxy_read_timeout,
   $proxy_set_header       = [],

diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb
@@ -1,5 +1,5 @@
 server {
-  listen       <%= listen_ip %>:<%= ssl_port %><% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %> ssl spdy<% end %><% if @listen_options %><%= listen_options %><% end %>;
+  listen       <%= listen_ip %>:<%= ssl_port %> ssl<% if spdy == 'on' %> spdy<% end %><% if @listen_options %><%= listen_options %><% end %>;
   <% if ipv6_enable == 'true' && (defined? ipaddress6) %>
   listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on;
   <% end %>
@@ -11,8 +11,8 @@ server {
   ssl_certificate_key       <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= name.gsub(' ', '_') %>.key;
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
-  ssl_ciphers               RC4:HIGH:!aNULL:!MD5;  
-  ssl_protocols             SSLv3 TLSv1;
+  ssl_protocols             <%= ssl_protocols %>;
+  ssl_ciphers               <%= ssl_ciphers %>;
   ssl_prefer_server_ciphers on;
 
 <% if auth_basic != :undef -%>