Set SSLProxy directives even if ssl is false

RewriteRules and ProxyPass directives can require SSLProxy* configurations even if SSLEngine is not enabled.
puppetlabs · Dec 2, 2015 · 1fb2b8a · 1fb2b8a
1 parent 61fe6ad
commit 1fb2b8a
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 18 deletions.
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -788,15 +788,11 @@
   # - $ssl_crl_path
   # - $ssl_crl
   # - $ssl_crl_check
-  # - $ssl_proxyengine
   # - $ssl_protocol
   # - $ssl_cipher
   # - $ssl_honorcipherorder
   # - $ssl_verify_client
   # - $ssl_verify_depth
-  # - $ssl_proxy_check_peer_cn
-  # - $ssl_proxy_check_peer_name
-  # - $ssl_proxy_machine_cert
   # - $ssl_options
   # - $ssl_openssl_conf_cmd
   # - $apache_version
@@ -808,6 +804,19 @@
     }
   }
 
+  # Template uses:
+  # - $ssl_proxyengine
+  # - $ssl_proxy_check_peer_cn
+  # - $ssl_proxy_check_peer_name
+  # - $ssl_proxy_machine_cert
+  if $ssl_proxyengine {
+    concat::fragment { "${name}-sslproxy":
+      target  => "${priority_real}${filename}.conf",
+      order   => 210,
+      content => template('apache/vhost/_sslproxy.erb'),
+    }
+  }
+
   # Template uses:
   # - $auth_kerb
   # - $krb_method_negotiate

diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -435,9 +435,12 @@
       it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with(
         :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) }
-      it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with(
+      it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy') }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with(
+        :content => /^\s+SSLProxyEngine On$/ ) }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with(
         :content => /^\s+SSLProxyCheckPeerCN\s+on$/ ) }
-      it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with(
+      it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy').with(
         :content => /^\s+SSLProxyCheckPeerName\s+on$/ ) }
       it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') }
@@ -681,6 +684,7 @@
       it { is_expected.to_not contain_concat__fragment('rspec.example.com-serveralias') }
       it { is_expected.to_not contain_concat__fragment('rspec.example.com-setenv') }
       it { is_expected.to_not contain_concat__fragment('rspec.example.com-ssl') }
+      it { is_expected.to_not contain_concat__fragment('rspec.example.com-sslproxy') }
       it { is_expected.to_not contain_concat__fragment('rspec.example.com-suphp') }
       it { is_expected.to_not contain_concat__fragment('rspec.example.com-php_admin') }
       it { is_expected.to_not contain_concat__fragment('rspec.example.com-header') }
@@ -703,6 +707,18 @@
       it { is_expected.to compile }
       it { is_expected.not_to contain_concat__fragment('rspec.example.com-docroot') }
     end
+    context 'ssl_proxyengine without ssl' do
+      let :params do
+        {
+          'docroot'         => '/rspec/docroot',
+          'ssl'             => false,
+          'ssl_proxyengine' => true,
+        }
+      end
+      it { is_expected.to compile }
+      it { is_expected.not_to contain_concat__fragment('rspec.example.com-ssl') }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-sslproxy') }
+    end
   end
   describe 'access logs' do
     let :facts do

diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb
@@ -22,9 +22,6 @@
   <%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
   SSLCARevocationCheck    "<%= @ssl_crl_check %>"
   <%- end -%>
-  <%- if @ssl_proxyengine -%>
-  SSLProxyEngine On
-  <%- end -%>
   <%- if @ssl_protocol -%>
   SSLProtocol             <%= [@ssl_protocol].flatten.compact.join(' ') %>
   <%- end -%>
@@ -40,15 +37,6 @@
   <%- if @ssl_verify_depth -%>
   SSLVerifyDepth          <%= @ssl_verify_depth %>
   <%- end -%>
-  <%- if @ssl_proxy_check_peer_cn -%>
-  SSLProxyCheckPeerCN     <%= @ssl_proxy_check_peer_cn %>
-  <%- end -%>
-  <%- if @ssl_proxy_check_peer_name -%>
-  SSLProxyCheckPeerName   <%= @ssl_proxy_check_peer_name %>
-  <%- end -%>
-  <%- if @ssl_proxy_machine_cert -%>
-  SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>"
-  <%- end -%>
   <%- if @ssl_options -%>
   SSLOptions <%= Array(@ssl_options).join(' ') %>
   <%- end -%>

diff --git a/templates/vhost/_sslproxy.erb b/templates/vhost/_sslproxy.erb
@@ -0,0 +1,14 @@
+<% if @ssl_proxyengine -%>
+
+  # SSL Proxy directives
+  SSLProxyEngine On
+  <%- if @ssl_proxy_check_peer_cn -%>
+  SSLProxyCheckPeerCN     <%= @ssl_proxy_check_peer_cn %>
+  <%- end -%>
+  <%- if @ssl_proxy_check_peer_name -%>
+  SSLProxyCheckPeerName   <%= @ssl_proxy_check_peer_name %>
+  <%- end -%>
+  <%- if @ssl_proxy_machine_cert -%>
+  SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>"
+  <%- end -%>
+<% end -%>