From 76c56f3065f916d9083bdcbb48fc8542b9f1de30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Defortis?= Date: Thu, 20 Apr 2017 11:56:14 +0200 Subject: [PATCH] MODULES-4737 - Additional class params for mod ssl - ssl_sessioncache which defaults to OS specific value in params.pp - ssl_proxy_protocol which defaults to an empty array which means using Apache defaults (see Apache doc [1] for more details) [1] https://httpd.apache.org/docs/current/en/mod/mod_ssl.html#sslproxyprotocol --- README.md | 2 ++ manifests/mod/ssl.pp | 17 +++++++---------- manifests/params.pp | 5 +++++ spec/classes/mod/ssl_spec.rb | 19 +++++++++++++++++++ templates/mod/ssl.conf.erb | 5 ++++- 5 files changed, 37 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 693c1ee331..35aff6d144 100644 --- a/README.md +++ b/README.md @@ -1906,7 +1906,9 @@ Installs [Apache SSL features][`mod_ssl`] and uses the `ssl.conf.erb` template t - `ssl_options`: Default: [ 'StdEnvVars' ] - `ssl_pass_phrase_dialog`: Default: 'builtin'. - `ssl_protocol`: Default: [ 'all', '-SSLv2', '-SSLv3' ]. +- `ssl_proxy_protocol`: Default: []. - `ssl_random_seed_bytes`: Valid options: A string. Default: '512'. +- `ssl_sessioncache`: Valid options: A string. Default: '300'. - `ssl_sessioncachetimeout`: Valid options: A string. Default: '300'. - `ssl_mutex`: Default: Determined based on the OS. Valid options: See [mod_ssl][mod_ssl] documentation. - RedHat/FreeBSD/Suse/Gentoo: 'default' diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 92c456360b..cee15ef178 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -6,15 +6,17 @@ $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4', $ssl_honorcipherorder = true, $ssl_protocol = [ 'all', '-SSLv2', '-SSLv3' ], + $ssl_proxy_protocol = [], $ssl_pass_phrase_dialog = 'builtin', $ssl_random_seed_bytes = '512', + $ssl_sessioncache = $::apache::params::ssl_sessioncache, $ssl_sessioncachetimeout = '300', $ssl_stapling = false, $ssl_stapling_return_errors = undef, $ssl_mutex = undef, $apache_version = undef, $package_name = undef, -) { +) inherits ::apache::params { include ::apache include ::apache::mod::mime $_apache_version = pick($apache_version, $apache::apache_version) @@ -51,6 +53,9 @@ validate_bool($ssl_compression) + validate_array($ssl_proxy_protocol) + validate_string($ssl_sessioncache) + if is_bool($ssl_honorcipherorder) { $_ssl_honorcipherorder = $ssl_honorcipherorder } else { @@ -61,14 +66,6 @@ } } - $session_cache = $::osfamily ? { - 'debian' => "\${APACHE_RUN_DIR}/ssl_scache(512000)", - 'redhat' => '/var/cache/mod_ssl/scache(512000)', - 'freebsd' => '/var/run/ssl_scache(512000)', - 'gentoo' => '/var/run/ssl_scache(512000)', - 'Suse' => '/var/lib/apache2/ssl_scache(512000)' - } - validate_bool($ssl_stapling) if $ssl_stapling_return_errors != undef { @@ -111,7 +108,7 @@ # $ssl_honorcipherorder # $ssl_options # $ssl_openssl_conf_cmd - # $session_cache + # $ssl_sessioncache # $stapling_cache # $ssl_mutex # $ssl_random_seed_bytes diff --git a/manifests/params.pp b/manifests/params.pp index e1ca7b3c20..4fdb834910 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -85,6 +85,7 @@ $default_ssl_cert = '/etc/pki/tls/certs/localhost.crt' $default_ssl_key = '/etc/pki/tls/private/localhost.key' $ssl_certs_dir = '/etc/pki/tls/certs' + $ssl_sessioncache = '/var/cache/mod_ssl/scache(512000)' $passenger_conf_file = 'passenger_extra.conf' $passenger_conf_package_file = 'passenger.conf' $passenger_root = undef @@ -221,6 +222,7 @@ $default_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' $default_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key' $ssl_certs_dir = '/etc/ssl/certs' + $ssl_sessioncache = "\${APACHE_RUN_DIR}/ssl_scache(512000)" $suphp_addhandler = 'x-httpd-php' $suphp_engine = 'off' $suphp_configpath = '/etc/php5/apache2' @@ -359,6 +361,7 @@ $default_ssl_cert = '/usr/local/etc/apache24/server.crt' $default_ssl_key = '/usr/local/etc/apache24/server.key' $ssl_certs_dir = undef + $ssl_sessioncache = '/var/run/ssl_scache(512000)' $passenger_conf_file = 'passenger.conf' $passenger_conf_package_file = undef $passenger_root = '/usr/local/lib/ruby/gems/2.0/gems/passenger-4.0.58' @@ -428,6 +431,7 @@ $default_ssl_cert = '/etc/ssl/apache2/server.crt' $default_ssl_key = '/etc/ssl/apache2/server.key' $ssl_certs_dir = '/etc/ssl/apache2' + $ssl_sessioncache = '/var/run/ssl_scache(512000)' $passenger_root = '/usr' $passenger_ruby = '/usr/bin/ruby' $passenger_conf_file = 'passenger.conf' @@ -496,6 +500,7 @@ $default_ssl_cert = '/etc/apache2/ssl.crt/server.crt' $default_ssl_key = '/etc/apache2/ssl.key/server.key' $ssl_certs_dir = '/etc/ssl/certs' + $ssl_sessioncache = '/var/lib/apache2/ssl_scache(512000)' $suphp_addhandler = 'x-httpd-php' $suphp_engine = 'off' $suphp_configpath = '/etc/php5/apache2' diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index 10badfa033..4d1566627d 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -42,6 +42,7 @@ it { is_expected.to contain_apache__mod('ssl') } it { is_expected.to contain_package('httpd24-mod_ssl') } it { is_expected.not_to contain_package('mod_ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/var/cache/mod_ssl/scache\(512000\)"$})} end end @@ -96,6 +97,7 @@ end it { is_expected.to contain_class('apache::params') } it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/var/run/ssl_scache\(512000\)"$})} end context 'on a Suse OS' do @@ -113,6 +115,7 @@ end it { is_expected.to contain_class('apache::params') } it { is_expected.to contain_apache__mod('ssl') } + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/var/lib/apache2/ssl_scache\(512000\)"$})} end # Template config doesn't vary by distro context "on all distros" do @@ -234,5 +237,21 @@ end it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLMutex posixsem$})} end + context 'setting ssl_sessioncache' do + let :params do + { + :ssl_sessioncache => '/tmp/customsessioncache(51200)', + } + end + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLSessionCache "shmcb:/tmp/customsessioncache\(51200\)"$})} + end + context 'setting ssl_proxy_protocol' do + let :params do + { + :ssl_proxy_protocol => [ '-ALL', '+TLSv1'], + } + end + it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLProxyProtocol -ALL \+TLSv1$})} + end end end diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index c4475cbe8d..0da9dc63d6 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -8,7 +8,7 @@ AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog <%= @ssl_pass_phrase_dialog %> - SSLSessionCache "shmcb:<%= @session_cache %>" + SSLSessionCache "shmcb:<%= @ssl_sessioncache %>" SSLSessionCacheTimeout <%= @ssl_sessioncachetimeout %> <%- if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%> Mutex <%= @_ssl_mutex %> @@ -29,6 +29,9 @@ <% end -%> SSLCipherSuite <%= @ssl_cipher %> SSLProtocol <%= @ssl_protocol.compact.join(' ') %> +<% if not @ssl_proxy_protocol.empty? -%> + SSLProxyProtocol <%= @ssl_proxy_protocol.compact.join(' ') %> +<% end -%> <% if @ssl_options -%> SSLOptions <%= @ssl_options.compact.join(' ') %> <% end -%>